sysadmin interviewtechnical

8/8/2019 sysadmin interviewTechnical

1/26

Windows Server

Page 1 of26

Technical Active Directory1) What is Active Directory?An active directory is a directory structure used on Microsoft Windows based computers and servers to storeinformation and data about networks and domainsAn active directory can be defined as a hierarchical structure and this structure is usually broken up into threemain categories, the resources which might include hardware such as printers, services for end users such as

web E-Mail servers and objects which are the main functions of the domain and network.

2) What is LDAP?Lightweight Directory Access Protocol) is a protocol for communications between LDAP servers and LDAPclients. LDAP servers store "directories" which are access by LDAP clients.LDAP is called lightweightbecause it is a smaller and easier protocol which was derived from the X.500 DAP(Directory Access Protocol) defined in the OSI network protocol stack.LDAP servers store a hierarchical directory of information. In LDAP parlance, a fully-qualified name for adirectory entry is called aDistinguished Name. Unlike DNS (Domain Name Service) FQDN's (Fully QualifiedDomain Names), LDAP DN's store the most significant data to the right

3) Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.Yes, you can use dirXML or LDAP to connect to other directories (ie. E-directory from Novell). Novell

eDirectory, formerly called Novell Directory Services (NDS)Yes. Microsoft Identity Integration Server (MIIS) is used to connect Active Directory to other 3rd-partyDirectory Services (including directories used by SAP, Domino, etc).4) Where is the AD database held? What other folders are related to AD?AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main filescontrolling the AD structurentds.ditedb.logres1.logres2.logedb.chkWhen a change is made to the Win2K database, triggering a write operation, Win2K records the transaction inthe log file (edb.log). Once written to the log file, the change is then written to the AD database

During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is10MB. These files are used to ensure that changes can be written to disk should the system run out of free diskspace. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit)

5) What is the SYSVOL folder?All active directory data base security related information store in SYSVOL folder and its only created on NTFSpartition.The Sysvol folder on a Windows domain controller is used to replicate file-based data among domaincontrollers. Because junctions are used within the Sysvol folder structure, Windows NT file system (NTFS)version 5.0 is required on domain controllers throughout a Windows distributed file system (DFS) forest.

6) What is Active directory Naming Context?Active Directory NC (Naming Context's) Active Directory consists of three partitions or naming contexts (NC)

Domain, Configuration and Schema Naming ContextsEach are replicated independentlyAn Active Directory forest has single schema and configurationEvery domain controller (DC) holds a copy of each (schema, configuration NC's) Forest can have multipledomainsEvery domain controller in a domain holds a copy of the domain NC

7) Name the AD NCs and replication issues for each NC*Schema NC, *Configuration NC, * Domain NCSchema NC This NC is replicated to every other domain controller in the forest. It contains information aboutthe Active Directory schema, which in turn defines the different object classes and attributes within ActiveDirectory.Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration

information pertaining to the physical layout of Active Directory, as well as information about display specifiersand forest-wide Active Directory quotas.Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC


2/26

Windows Server

Page 2 of26

that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and otherobjects that reside within a particular Active Directory domain.

8) What are application partitions? When do I use themApplication Directory Partition is a partition space in Active Directory which an application can use to store thatapplication specific data. This partition is then replicated only to some specific domain controllers.

The application directory partition can contain any type of data except security principles (users, computers,groups).

9) How do you create a new application partition?When you create an application directory partition, you are creating the first instance of this partition. You cancreate an application directory partition by using the create nc option in the domain management menu ofNtdsutil. When creating an application directory partition using LDP or ADSI, provide a description in thedescription attribute of the domain DNS object that indicates the specific application that will use the partition.For example, if the application directory partition will be used to store data for a Microsoft accounting program,the description could be Microsoft accounting application. Ntdsutil does not facilitate the creation of adescription.To create or delete an application directory partition1. Open Command Prompt.

2. Type:ntdsutil3. At the ntdsutil command prompt, type:domain management4. At the domain management command prompt, do one of the following: To create an application directory partition, type:create ncApplicationDirectoryPartitionDomainCo...Answer:Start >> RUN>> CMD >> type there "NTDSUTIL" Press EnterNtdsutil: domain management Press EnterDomain Management: Create NC dc=, dc=, dc=com

10)How do you view replication properties for AD partitions and DCs?

By using replication monitorgo to start > run > type repadmingo to start > run > type replmon

11) What is the Global Catalog?The global catalog contains a complete replica of all objects in Active Directory for its Host domain, andcontains a partial replica of all objects in Active Directory for every other domain in the forest.

12) How do you view all the GCs in the forest?C:\>repadmin /showrepsdomain_controllerORYou can use Replmon.exe for the same purpose.

ORAD Sites and Services and nslookup gc._msdcs.

To find the in GC from the command line you can try using DSQUERY command.dsquery server -isgc to find all the gc's in the forestyou can try dsquery server -forest -isgc.

13) Why not make all DCs in a large forest as GCs?The reason that all DCs are not GCs to start is that in large (or even Giant) forests the DCs would all have tohold a reference to every object in the entire forest which could be quite large and quite a replication burden.

For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor WANlines.

14) Trying to look at the Schema, how can I do that?


3/26

Windows Server

Page 3 of26

Different database servers use different commands to look at a schema. Additionally, the client software thatyou use has features that make it easier to manipulate database objects.Windows Active DirectoryI believe this question is referring to the Active Directory schema, in which case, adsiedit.exe is a good place tostart. Please follow this link for more info:http://technet.microsoft.com/en-us/library/cc757747.aspx#w2k3tr_schem_tools_dzid

option to view the schemaregister schmmgmt.dll using this commandc:\windows\system32>regsvr32 schmmgmt.dllOpen mmc --> add snapin --> add Active directory schemaname it as schema.mscOpen administrative tool --> schema.msc

15)What are the Support Tools? Why do I need them?Supported Tools are used to Maintain AD Services. used to handle replication as well.Ntdsutil.exe to make changes or administrate to AD database.replmon and repadmin to monitor and administrate replication.netdiag to monitor network.16) What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?

What is LDP?A:The Lightweight Directory Access Protocol, or LDAP is an application protocol for querying and modifyingdirectory services running over TCP/IP.[1]A directory is a set of objects with attributes organized in a logical and hierarchical manner. The most commonexample is the telephone directory, which consists of a series of names (either of persons or organizations)organized alphabetically, with each name having an address and phone number attached.An LDAP directory tree often reflects various political, geographic, and/or organizational boundaries,depending on the model chosen. LDAP deployments today tend to use Domain name system (DNS) names forstructuring the topmost levels of the hierarchy. Deeper inside the directory might appear entries representingpeople, organizational units, printers, documents, groups of people or anything else that represents a given treeentry (or multiple entries).Its current version is LDAPv3, which is specified in a series of Internet Engineering Task Force (IETF)

Standard Track Requests for comments (RFCs) as detailed in RFC 4510.LDAP means Light-Weight Directory Access Protocol. It determines how an object in an Active directoryshould be named. LDAP (Lightweight Directory Access Protocol) is a proposed open standard for accessingglobal or local directory services over a network and/or the Internet. A directory, in this sense, is very much likea phone book. LDAP can handle other information, but at present it is typically used to associate names withphone numbers and email addresses. LDAP directories are designed to support a high volume of queries, but thedata stored in the directory does not change very often. It works on port no. 389. LDAP is sometimes known asX.500 Lite. X.500 is an international standard for directories and full-featured, but it is also complex, requiring alot of computing resources and the full OSI stack. LDAP, in contrast, can run easily on a PC and over TCP/IP.LDAP can access X.500 directories but does not support every capability of X.500What is REPLMON?A: Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is agraphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line

counterparts. The purpose of this document is to guide you in how to use it, list some common replication errorsand show some examples of when replication issues can stop other network installation actions.

for more go to http://www.techtutorials.net/articles/replmon_howto_a.htmlWhat is ADSIEDIT?

A: ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for ActiveDirectory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for commonadministrative tasks such as adding, deleting, and moving objects with a directory service. The attributes foreach object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programminginterfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.MSC

Regarding system requirements, a connection to an Active Directory environment and Microsoft ManagementConsole (MMC) is necessaryWhat is NETDOM?


4/26

Windows Server

Page 4 of26

A: NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It isused for batch management of trusts, joining computers to domains, verifying trusts, and secure channelsA:Enables administrators to manage Active Directory domains and trust relationships from the command prompt.Netdom is a command-line tool that is built into Windows Server 2008. It is available if you have the ActiveDirectory Domain Services (AD DS) server role installed. To use netdom, you must run the netdom command

from an elevated command prompt. To open an elevated command prompt, click Start, right-click CommandPrompt, and then click Run as administrator.You can use netdom to:

Join a computer that runs Windows XP Professional or Windows Vista to a Windows Server 2008 or WindowsServer 2003 or Windows 2000 or Windows NT 4.0 domain.Provide an option to specify the organizational unit (OU) for the computer account.Generate a random computer password for an initial Join operation.Manage computer accounts for domain member workstations and member servers. Management operationsinclude:Add, Remove, Query.An option to specify the OU for the computer account.An option to move an existing computer account for a member workstation from one domain to another while

maintaining the security descriptor on the computer account.Establish one-way or two-way trust relationships between domains, including the following kinds of trustrelationships:From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows NT 4.0domain.From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows 2000 orWindows Server 2003 or Windows Server 2008 domain in another enterprise.Between two Windows 2000 or Windows Server 2003 or Windows Server 2008 domains in an enterprise (ashortcut trust).The Windows Server 2008 or Windows Server 2003 or Windows 2000 Server half of an interoperable Kerberosprotocol realm.Verify or reset the secure channel for the following configurations:Member workstations and servers.

Backup domain controllers (BDCs) in a Windows NT 4.0 domain.Specific Windows Server 2008 or Windows Server 2003 or Windows 2000 replicas.Manage trust relationships between domains, including the following operations:Enumerate trust relationships (direct and indirect).View and change some attributes on a trust.

SyntaxNetdom uses the following general syntaxes:

NetDom [] [{/d: | /domain:} ] []NetDom help


5/26

Windows Server

Page 5 of26

Use the REPADMIN tool to synchronize new user information between all sites to enable new users to log on tothe domain in a remote site.Other AnswerREPADMIN is a built-in Windows diagnostic command-line utility that works at the Active Directory level.Although specific to Windows, it is also useful for diagnosing some Exchange replication problems, sinceExchange Server is Active Directory based.

REPADMIN doesn't actually fix replication problems for you. But, you can use it to help determine the sourceof a malfunction.Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is agraphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command linecounterparts. The purpose of this document is to guide you in how to use it, list some common replication errorsand show some examples of when replication issues can stop other network installation actions.

17) What are sites? What are they used for?One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configureActive Directory access and replication topology to take advantage of the physical network.B: A Site object in Active Directory represents a physical geographic location that hosts networks. Sites containobjects called Subnets.[3] Sites can be used to Assign Group Policy Objects, facilitate the discovery of

resources, manage active directory replication, and manage network link traffic. Sites can be linked to otherSites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or otherreal property of a physical resource. Site Links may also be assigned a schedule.

18) What's the difference between a site link's schedule and interval?Schedule enables you to list weekdays or hours when the site link is available for replication to happen in thegive interval. Interval is the re occurrence of the inter site replication in given minutes. It ranges from 15 -10,080 mins. The default interval is 180 mins.

19) What is the KCC?With in a Site, a Windows server 2003 service known as the KCC automatically generates a topology forreplication among the domain controllers in the domain using a ring structure.Th Kcc is a built in process thatruns on all domain controllers.

The KCC analyzes the replication topology within a site every 15 minute to ensure that it still works. If you addor remove a domain controller from the network or a site, the KCC reconfigures the topology to relect thechange.KCC is Knowledge Consistency Checker, which creates the connection object that links the DCs into commonreplication topology and dictates the replication routes between one DC to another in Active Directory forest.

20) What is the ISTG? Who has that role by default?Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By defaultWindows 2003 Forest level functionality has this role.By Default the first Server has this role. If that server can no longer preform this role then the next server withthe highest GUID then takes over the role of ISTG.

21) What are the requirements for installing AD on a new server?

An NTFS partition with enough free space (250MB minimum) An Administrator's username and password The correct operating system version A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway) A network connection (to a hub or to another computer via a crossover cable) An operational DNS server (which can be installed on the DC itself) A Domain name that you want to use The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)

22) What can you do to promote a server to DC if you're in a remote location with slow WAN link?First available in Windows 2003, you will create a copy of the system state from an existing DC and copy it tothe new remote server. Run "Dcpromo /adv". You will be prompted for the location of the system state files

23) How can you forcibly remove AD from a server, and what do you do later? Can I get user passwords fromthe AD database?


6/26

Windows Server

Page 6 of26

type dcpromo/forceremovel for removing ad from a server . Then one has to delete metadata of that DC as wellwith the help of NTDS utility

You cannot get user pasword from AD database because they are stored in encrypted format. there may be thirdparty tool which can help.

24) What tool would I use to try to grab security related packets from the wire?you must use sniffer-detecting tools to help stop the snoops. ...A good packet sniffer would be "ethereal"

25) Name some OU design considerations.OU design requires balancing requirements for delegating administrative rights - independent of Group Policyneeds - and the need to scope the application of Group Policy. The following OU design recommendationsaddress delegation and scope issues:Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign GroupPolicy settings.Delegating administrative authorityusually don't go more than 3 OU levels

26) What is tombstone lifetime attribute?The number of days before a deleted object is removed from the directory services. This assists in removingobjects from replicated servers and preventing restores from reintroducing a deleted object. This value is in theDirectory Service object in the configuration NICby default 2000 (60 days)2003 (180 days)

27) What do you do to install a new Windows 2003 DC in a Windows 2000 AD?If you plan to install windows 2003 server domain controllers into an existing windows 2000 domain or upgradea windows 2000 domain controllers to windows server 2003, you first need to run the Adprep.exe utility on thewindows 2000 domain controllers currently holding the schema master and infrastructure master roles. Theadprep / forestprer command must first be issued on the windows 2000 server holding schema master role in theforest root doman to prepare the existing schema to support windows 2003 active directory. The adprep

/domainprep command must be issued on the sever holding the infrastructure master role in the domain where2000 server will be deployed

28) What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?A. If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you requireonly the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the Windows 2003 R2Continue Setup screen.If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this isa minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adpreputility, which you'll find in the Cmpnents\r2\adprep folder on the second CD-ROM. Before running thiscommand, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later). Here's a sampleexecution of the Adprep /forestprep command:D:\CMPNENTS\R2\ADPREP>adprep /forestprep

ADPREP WARNING:Before running adprep, all Windows 2000 domain controllers in the forest should be upgraded to Windows 2000Service Pack 1 (SP1) with QFE 265089, or to Windows 2000 SP2 (or later).QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent potential domain controllercorruption.For more information about preparing your forest and domain see KB article Q3311 61 athttp://support.microsoft.com.[User Action] If ALL your existing Windows 2000 domain controllers meet this requirement, type C and thenpress ENTER to continue. Otherwise, type any other key and press ENT ER to quit.C Opened Connection to SAVDALDC01 SSPI Bind succeeded Current Schema Version is 30 Upgradingschema to version 31 Connecting to "SAVDALDC01" Logging in as current user using SSPI Importingdirectory from file "C:\WINDOWS\system32\sch31.ldf" Loading entries........................................................................................................... 139 entries modified successfully.

The command has completed successfully Adprep successfully updated the forest-wide information.After running Adprep, install R2 by performing these steps:Click the "Continue Windows Server 2003 R2 Setup" link, as the figureshows.


7/26

Windows Server

Page 7 of26

At the "Welcome to the Windows Server 2003 R2 Setup Wizard" screen, click Next.You'll be prompted to enter an R2 CD key (this is different from your existing Windows 2003 keys) if theunderlying OS wasn't installed from R2 media (e.g., a regular Windows 2003 SP1 installation). Enter the R2 keyand click Next. Note: The license key entered for R2 must match the underlying OS type, which means if youinstalled Windows 2003 using a volume-license version key, then you can't use a retail or Microsoft DeveloperNetwork (MSDN) R2 key.

You'll see the setup summary screen which confirms the actions to be performed (e.g., Copy files). Click Next.After the installation is complete, you'll see a confirmation dialog box. Click Finish

29) How would you find all users that have not logged on since last month?CAN use BATCH file

30) What are the DS* commands?New DS (Directory Service) Family of built-in command line utilities for Windows Server 2003 ActiveDirectoryA:New DS built-in tools for Windows Server 2003The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod,DSrm and DSMove and in the other branch are DSQuery and DSGet.

When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for choice. The theDS family of built-in command line executables offer alternative strategies to CSVDE, LDIFDE and VBScript.Let me introduce you to the members of the DS family:DSadd - add Active Directory users and groupsDSmod - modify Active Directory objectsDSrm - to delete Active Directory objectsDSmove - to relocate objectsDSQuery - to find objects that match your query attributesDSget - list the properties of an objectDS SyntaxThese DS tools have their own command structure which you can split into five parts:1 2 3 4 5Tool object "DN" (as in LDAP distinguished name) -switch value For example:

DSadd user "cn=billy, ou=managers, dc=cp, dc=com" -pwd cX49pQbaThis will add a user called Billy to the Managers OU and set the password to cx49QbaHere are some of the common DS switches which work with DSadd and DSmod-pwd (password) -upn (userPrincipalName) -fn (FirstName) -samid (Sam account name).The best way to learn about this DS family is to logon at a domain controller and experiment from the commandline. I have prepared examples of the two most common programs. Try some sample commands for DSadd.Two most useful Tools: DSQuery and DSGetThe DSQuery and DSGet remind me of UNIX commands in that they operate at the command line, usepowerful verbs, and produce plenty of action. One pre-requisite for getting the most from this DS family is aworking knowledge of LDAP.If you need to query users or computers from a range of OU's and then return information, for example, office,department manager. Then DSQuery and DSGet would be your tools of choice. Moreover, you can export the

information into a text file

31) What's the difference between LDIFDE and CSVDE? Usage considerations?LdifdeLdifde creates, modifies, and deletes directory objects on computers running Windows Server 2003 operatingsystems or Windows XP Professional. You can also use Ldifde to extend the schema, export Active Directoryuser and group information to other applications or services, and populate Active Directory with data from otherdirectory services.The LDAP Data Interchange Format (LDIF) is a draft Internet standard for a file format that may be used forperforming batch operations against directories that conform to the LDAP standards. LDIF can be used to exportand import data, allowing batch operations such as add, create, and modify to be performed against the ActiveDirectory. A utility program called LDIFDE is included in Windows 2000 to support batch operations based onthe LDIF file format standard. This article is designed to help you better understand how the LDIFDE utility can

be used to migrate directories.http://support.microsoft.com/kb/237677Csvde


8/26

Windows Server

Page 8 of26

Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in thecomma-separated value (CSV) format. You can also support batch operations based on the CSV file formatstandard.Csvde is a command-line tool that is built into Windows Server 2008 in the/system32 folder. It is available ifyou have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role installed. To usecsvde, you must run the csvde command from an elevated command prompt. To open an elevated command

prompt, click Start, right-click Command Prompt, and then click Run as administrator.http://technet.microsoft.com/en-us/library/cc732101.aspxDIFFERENCE USAGE WISECsvde.exe is a Microsoft Windows 2000 command-line utility that is located in the SystemRoot\System32folder after you install Windows 2000. Csvde.exe is similar to Ldifde.exe, but it extracts information in acomma-separated value (CSV) format. You can use Csvde to import and export Active Directory data that usesthe comma-separated value format. Use a spreadsheet program such as Microsoft Excel to open this .csv file andview the header and value information. See Microsoft Excel Help for information about functions such asConcatenate that can simplify the process of building a .csv file.

Note Although Csvde is similar to Ldifde, Csvde has a significant limitation: it can only import and exportActive Directory data by using a comma-separated format (.csv). Microsoft recommends that you use the Ldifdeutility for Modify or Delete operations. Additionally, the distinguished name (also known as DN) of the item

that you are trying to import must be in the first column of the .csv file or the import will not work.

The source .csv file can come from an Exchange Server directory export. However, because of the difference inattribute mappings between the Exchange Server directory and Active Directory, you must make somemodifications to the .csv file. For example, a directory export from Exchange Server has a column that is named"obj-class" that you must rename to "objectClass." You must also rename "Display Name" to "displayName."

32) What are the FSMO roles? Who has them by default? What happens when each one fails?There are just five operations where the usual multiple master model breaks down, and the Active Directory taskmust only be carried out on one Domain Controller. FSMO roles:PDC Emulator - Most famous for backwards compatibility with NT 4.0 BDC's. However, there are two otherFSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time service andcreating group policies. I admit that it is confusing that these two jobs have little to do with PDCs and BDCs.

RID Master - Each object must have a globally unique number (GUID). The RID master makes sure eachdomain controller issues unique numbers when you create objects such as users or computers. For example DCone is given RIDs 1-4999 and DC two is given RIDs 5000 - 9999.Infrastructure Master - Responsible for checking objects in other other domains. Universal group membership isthe most important example. To me, it seems as though the operating system is paranoid that, a) You are amember of a Universal Group in another domain and b) that group has been assigned Deny permissions. So ifthe Infrastructure master could not check your Universal Groups there could be a security breach.Domain Naming Master - Ensures that each child domain has a unique name. How often do child domains getadded to the forest? Not very often I suggest, so the fact that this is a FSMO does not impact on normal domainactivity. My point is it's worth the price to confine joining and leaving the domain operations to one machine,and save the tiny risk of getting duplicate names or orphaned domains.Schema Master - Operations that involve expanding user properties e.g. Exchange 2003 / forestprep which addsmailbox properties to users. Rather like the Domain naming master, changing the schema is a rare event.

However if you have a team of Schema Administrators all experimenting with object properties, you would notwant there to be a mistake which crippled your forest. So its a case of Microsoft know best, the Schema Mastershould be a Single Master Operation and thus a FSMO role.each one of them fails then below are the effects of the same:-

Schema Master - Schema updates are not available - These are generally planned changes and the first stepwhen doing a schema change is normally something like "make sure your environment is healthy". There isn'tany urgency if the schema master fails, having it offline is largely irrelevant until you want to make a schemachange.

Domain Naming Master - No new domains or application partitions can be added - This sort of falls into thesame "healthy environment" bucket as the schema master. When we upgraded the first DC to a beta Server 2003OS which included the code to create the DNS application partitions, we couldn't figure why they weren't

instantiated until we realized that the server hosting the DNM was offline (being upgraded) at the same time.Infrastructure Master - No cross domain updates, can't run any domain preps - Domain preps are planned(again). But no cross-domain updates. That could be important if you have a multi-domain environment with a


9/26

Windows Server

Page 9 of26

lot of changes occurring.

RID Master - New RID pools unable to be issued to DC's - This gets a bit more complicated, but let me see if Ican make it easy. Every DC is initially issued 500 RID's. When it gets down to 50% (250) it requests a secondpool of RID's from the RID master. So when the RID master goes offline, every DC has anywhere between 250and 750 RIDs available (depending on whether it's hit 50% and received the new pool).

PDC - Time, logins, password changes, trusts - So we made it to the bottom of the list, and by this point you'vefigured that the PDC has to be the most urgent FSMO role holder to get back online. The rest of them can beoffline for varying amounts of time with no impact at all. Users may see funky behavior if they changed theirpassword, but replication will probably have completed before they call the help desk so nothing to worry about,and trust go back to that whole "healthy forest" thing again.

33) What FSMO placement considerations do you know of?Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO(Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, onthe same DC) as has been configured by the Active Directory installation process. However, there are scenarioswhere an administrator would want to move one or more of the FSMO roles from the default holder DC to a

different DC.Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing withFSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you shouldbear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles

34) I want to look at the RID allocation table for a DC. What do I do?1.install support tools from OS disk(OS Inst: Disk=>support=>tools=>suptools.msi)2.In Command prompt type dcdiag /test:ridmanager /s:system1 /v (system1 is the name of our DC)

35 ) What's the difference between transferring a FSMO role and seizing one? Which one should you NOTseize? Why?

Seizing an FSMO can be a destructive process and should only be attempted if the existing server with theFSMO is no longer available.

If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable, DO NOT seizethe Schema Master role.

If you are going to seize the Schema Master, you must permanently disconnect the current Schema Master fromthe network.

If you seize the Schema Master role, the boot drive on the original Schema Master must be completely

reformatted and the operating system must be cleanly installed, if you intend to return this computer to thenetwork.

NOTE: The Boot Partition contains the system files (\System32). The System Partition is the partition thatcontains the startup files, NTDetect.com, NTLDR, Boot.ini, and possibly Ntbootdd.sys.

The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controllerin the forest root domain. The first domain controller in each new child or tree domain is assigned the threedomain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one ofthe following methods:

An administrator reassigns the role by using a GUI administrative tool.An administrator reassigns the role by using the ntdsutil /roles command.


10/26

Windows Server

Page 10 of26

An administrator gracefully demotes a role-holding domain controller by using the Active Directory InstallationWizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotionsthat are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state untilthey are reassigned by an administrator.

We recommend that you transfer FSMO roles in the following scenarios:The current role holder is operational and can be accessed on the network by the new FSMO owner.You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to aspecific domain controller in your Active Directory forest.The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance andyou need specific FSMO roles to be assigned to a "live" domain controller. This may be required to performoperations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but lesstrue for the RID master role, the Domain naming master role and the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:The current role holder is experiencing an operational error that prevents an FSMO-dependent operation fromcompleting successfully and that role cannot be transferred.

A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command.The operating system on the computer that originally owned a specific role no longer exists or has beenreinstalled.

As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of changesthat are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate domaincontroller is one that is in the appropriate domain that last inbound-replicated, or recently inbound-replicated awritable copy of the "FSMO partition" from the existing role holder. For example, the Schema master role-holder has a distinguished name path of CN=schema,CN=configuration,dc=, and this meanthat roles reside in and are replicated as part of the CN=schema partition. If the domain controller that holds theSchema master role experiences a hardware or software failure, a good candidate role-holder would be a domaincontroller in the root domain and in the same Active Directory site as the current owner. Domain controllers in

the same Active Directory site perform inbound replication every 5 minutes or 15 seconds.

The partition for each FSMO role is in the following list:

Collapse this tableExpand this table FSMO role Partition Schema CN=Schema,CN=configuration,DC= Domain Naming Master CN=configuration,DC= PDC DC= RIDDC= Infrastructure DC=

A domain controller whose FSMO roles have been seized should not be permitted to communicate with existingdomain controllers in the forest. In this scenario, you should either format the hard disk and reinstall theoperating system on such domain controllers or forcibly demote such domain controllers on a private network

and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadatacleanup command. The risk of introducing a former FSMO role holder whose role has been seized into theforest is that the original role holder may continue to operate as before until it inbound-replicates knowledge ofthe role seizure. Known risks of two domain controllers owning the same FSMO roles include creating securityprincipals that have overlapping RID pools, and other problems.Back to the topTransfer FSMO rolesTo transfer the FSMO roles by using the Ntdsutil utility, follow these steps:Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domaincontroller that is located in the forest where FSMO roles are being transferred. We recommend that you log onto the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of theEnterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of theDomain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master

roles are being transferred.Click Start, click Run, type ntdsutil in the Open box, and then click OK.


11/26

Windows Server

Page 11 of26

Type roles, and then press ENTER.

Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then pressENTER.Type connections, and then press ENTER.Type connect to server servername, and then press ENTER, where servername is the name of the domain

controller you want to assign the FSMO role to.At the server connections prompt, type q, and then press ENTER.Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ?at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. Forexample, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulatorrole, whose syntax is transfer pdc, not transfer pdc emulator.At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q,and then press ENTER to quit the Ntdsutil utility.

Back to the topSeize FSMO rolesTo seize the FSMO roles by using the Ntdsutil utility, follow these steps:

Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domaincontroller that is located in the forest where FSMO roles are being seized. We recommend that you log on to thedomain controller that you are assigning FSMO roles to. The logged-on user should be a member of theEnterprise Administrators group to transfer schema or domain naming master roles, or a member of the DomainAdministrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles arebeing transferred.Click Start, click Run, type ntdsutil in the Open box, and then click OK.Type roles, and then press ENTER.Type connections, and then press ENTER.Type connect to server servername, and then press ENTER, where servername is the name of the domaincontroller that you want to assign the FSMO role to.At the server connections prompt, type q, and then press ENTER.Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the

fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example,to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whosesyntax is seize pdc, not seize pdc emulator.At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q,and then press ENTER to quit the Ntdsutil utility.

NotesUnder typical conditions, all five roles must be assigned to "live" domain controllers in the forest. If a domaincontroller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all rolesto an appropriate and healthy domain controller. We recommend that you only seize all roles when the otherdomain controller is not returning to the domain. If it is possible, fix the broken domain controller that isassigned the FSMO roles. You should determine which roles are to be on which remaining domain controllersso that all five roles are assigned to a single domain controller. For more information about FSMO role

placement, click the following article number to view the article in the Microsoft Knowledge Base: 223346(http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization on Windows 2000 domaincontrollersIf the domain controller that formerly held any FSMO role is not present in the domain and if it has had its rolesseized by using the steps in this article, remove it from the Active Directory by following the procedure that isoutlined in the following Microsoft Knowledge Base article: 216498 (http://support.microsoft.com/kb/216498/ )How to remove data in active directory after an unsuccessful domain controller demotionRemoving domain controller metadata with the Windows 2000 version or the Windows Server 2003 build 3790version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that are assigned to livedomain controllers. The Windows Server 2003 Service Pack 1 (SP1) version of the Ntdsutil utility automatesthis task and removes additional elements of domain controller metadata.Some customers prefer not to restore system state backups of FSMO role-holders in case the role has beenreassigned since the backup was made.

Do not put the Infrastructure master role on the same domain controller as the global catalog server. If theInfrastructure master runs on a global catalog server it stops updating object information because it does not


12/26

Windows Server

Page 12 of26

contain any references to objects that it does not hold. This is because a global catalog server holds a partialreplica of every object in the forest.

To test whether a domain controller is also a global catalog server:Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and

Services.Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if noother sites are available.Open the Servers folder, and then click the domain controller.In the domain controller's folder, double-click NTDS Settings.On the Action menu, click Properties.On the General tab, view the Global Catalog check box to see if it is selected.

36) How do you configure a "stand-by operation master" for any of the roles?Open Active Directory Sites and Services.Expand the site name in which the standby operations master is located to display the Servers folder.Expand the Servers folder to see a list of the servers in that site.Expand the name of the server that you want to be the standby operations master to display its NTDS Settings.

Right-click NTDS Settings, click New, and then click Connection.In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK.In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept thedefault name, and click OK.

37) How do you backup AD?Backing up Active Directory is essential to maintain an Active Directory database. You can back up ActiveDirectory by using the Graphical User Interface (GUI) and command-line tools that the Windows Server 2003family provides.

You frequently backup the system state data on domain controllers so that you can restore the most current data.By establishing a regular backup schedule, you have a better chance of recovering data when necessary.To ensure a good backup includes at least the system state data and contents of the system disk, you must be

aware of the tombstone lifetime. By default, the tombstone is 60 days. Any backup older than 60 days is not agood backup. Plan to backup at least two domain controllers in each domain, one of at least one backup toenable an authoritative restore of the data when necessary.System State DataSeveral features in the windows server 2003 family make it easy to backup Active Directory. You can backupActive Directory while the server is online and other network function can continue to function.System state data on a domain controller includes the following components:Active Directory system state data does not contain Active Directory unless the server, on which you arebacking up the system state data, is a domain controller. Active Directory is present only on domain controllers.The SYSVOL shared folder: This shared folder contains Group policy templates and logon scripts. TheSYSVOL shared folder is present only on domain controllers.The Registry: This database repository contains information about the computer's configuration.System startup files: Windows Server 2003 requires these files during its initial startup phase. They include the

boot and system files that are under windows file protection and used by windows to load, configure, and runthe operating system.The COM+ Class Registration database: The Class registration is a database of information about ComponentServices applications.The Certificate Services database: This database contains certificates that a server running Windows server 2003uses to authenticate users. The Certificate Services database is present only if the server is operating as acertificate server.System state data contains most elements of a system's configuration, but it may not include all of theinformation that you require recovering data from a system failure. Therefore, be sure to backup all boot andsystem volumes, including the System State, when you back up your server.Restoring Active DirectoryIn Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or isdestroyed because of hardware or software failures. You must restore the Active Directory database when

objects in Active Directory are changed or deleted.Active Directory restore can be performed in several ways. Replication synchronizes the latest changes fromevery other replication partner. Once the replication is finished each partner has an updated version of Active


13/26

Windows Server

Page 13 of26

Directory. There is another way to get these latest updates by Backup utility to restore replicated data from abackup copy. For this restore you don't need to configure again your domain controller or no need to install theoperating system from scratch.Active Directory Restore MethodsYou can use one of the three methods to restore Active Directory from backup media: primary restore, normal(non authoritative) restore, and authoritative restore.

Primary restore: This method rebuilds the first domain controller in a domain when there is no other way torebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, andyou want to rebuild the domain from the backup.Members of Administrators group can perform the primary restore on local computer, or user should have beendelegated with this responsibility to perform restore. On a domain controller only Domain Admins can performthis restore.Normal restore: This method reinstates the Active Directory data to the state before the backup, and thenupdates the data through the normal replication process. Perform a normal restore for a single domain controllerto a previously known good state.Authoritative restore: You perform this method in tandem with a normal restore. An authoritative restore marksspecific data as current and prevents the replication from overwriting that data. The authoritative data is thenreplicated through the domain.Perform an authoritative restore individual object in a domain that has multiple domain controllers. When you

perform an authoritative restore, you lose all changes to the restore object that occurred after the backup.Ntdsutil is a command line utility to perform an authoritative restore along with windows server 2003 systemutilities. The Ntdsutil command-line tool is an executable file that you use to mark Active Directory objects asauthoritative so that they receive a higher version recently changed data on other domain controllers does notoverwrite system state data during replication.

38) How do you restore AD?Restoring Active DirectoryIn Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or isdestroyed because of hardware or software failures. You must restore the Active Directory database whenobjects in Active Directory are changed or deleted.Active Directory restore can be performed in several ways. Replication synchronizes the latest changes from

every other replication partner. Once the replication is finished each partner has an updated version of ActiveDirectory. There is another way to get these latest updates by Backup utility to restore replicated data from abackup copy. For this restore you don't need to configure again your domain controller or no need to install theoperating system from scratch.Active Directory Restore MethodsYou can use one of the three methods to restore Active Directory from backup media: primary restore, normal(non authoritative) restore, and authoritative restore.Primary restore: This method rebuilds the first domain controller in a domain when there is no other way torebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, andyou want to rebuild the domain from the backup.Members of Administrators group can perform the primary restore on local computer, or user should have beendelegated with this responsibility to perform restore. On a domain controller only Domain Admins can performthis restore.

Normal restore: This method reinstates the Active Directory data to the state before the backup, and thenupdates the data through the normal replication process. Perform a normal restore for a single domain controllerto a previously known good state.Authoritative restore: You perform this method in tandem with a normal restore. An authoritative restore marksspecific data as current and prevents the replication from overwriting that data. The authoritative data is thenreplicated through the domain.Perform an authoritative restore individual object in a domain that has multiple domain controllers. When youperform an authoritative restore, you lose all changes to the restore object that occurred after the backup.Ntdsutil is a command line utility to perform an authoritative restore along with windows server 2003 systemutilities. The Ntdsutil command-line tool is an executable file that you use to mark Active Directory objects asauthoritative so that they receive a higher version recently changed data on other domain controllers does notoverwrite system state data during replication.METHOD

A.You can't restore Active Directory (AD) to a domain controller (DC) while the Directory Service (DS) isrunning. To restore AD, perform the following steps.


14/26

Windows Server

Page 14 of26

Reboot the computer.At the boot menu, select Windows 2000 Server. Don't press Enter. Instead, press F8 for advanced options.You'll see the following text. OS Loader V5.0Windows NT Advanced Options MenuPlease select an option:Safe Mode

Safe Mode with NetworkingSafe Mode with Command PromptEnable Boot LoggingEnable VGA ModeLast Known Good ConfigurationDirectory Services Restore Mode (Windows NT domain controllers only)Debugging ModeUse | and | to move the highlight to your choice.Press Enter to choose.Scroll down, and select Directory Services Restore Mode (Windows NT domain controllers only).Press Enter.When you return to the Windows 2000 Server boot menu, press Enter. At the bottom of the screen, you'll see inred text Directory Services Restore Mode (Windows NT domain controllers only).

The computer will boot into a special safe mode and won't start the DS. Be aware that during this time themachine won't act as a DC and won't perform functions such as authentication.Start NT Backup.Select the Restore tab.Select the backup media, and select System State.Click Start Restore.Click OK in the confirmation dialog box.After you restore the backup, reboot the computer and start in normal mode to use the restored information. Thecomputer might hang after the restore completes; Sometimes it takes a 30-minute wait on some machines.

39) How do you change the DS Restore admin password?How to Change the Recovery Console Administrator Password on a Domain ControllerView products that this article applies to. Article ID : 239803 Last Review : March 1, 2007 Revision : 2.2

This article was previously published under Q239803On This PageSUMMARYMORE INFORMATIONMethod 1Method 2SUMMARYWhen you promote a Windows 2000 Server-based computer to a domain controller, you are prompted to type aDirectory Service Restore Mode Administrator password. This password is also used by Recovery Console, andis separate from the Administrator password that is stored in Active Directory after a completed promotion.Back to the topMORE INFORMATIONThe Administrator password that you use when you start Recovery Console or when you press F8 to startDirectory Service Restore Mode is stored in the registry-based Security Accounts Manager (SAM) on the local

computer. The SAM is located in the\System32\Config folder. The SAM-based account and password arecomputer specific and they are not replicated to other domain controllers in the domain.

For ease of administration of domain controllers or for additional security measures, you can change theAdministrator password for the local SAM. To change the local Administrator password that you use when youstart Recovery Console or when you start Directory Service Restore Mode, use one of the following methods.Back to the topMethod 1If Windows 2000 Service Pack 2 or later is installed on your computer, you can use the Setpwd.exe utility tochange the SAM-based Administrator password. To do this: 1. Log on to the computer as the administrator or auser who is a member of the Administrators group. 2. At a command prompt, change to the\System32 folder. 3.To change the local SAM-based Administrator password, type setpwd, and then press ENTER.

To change the SAM-based Administrator password on a remote domain controller, type the following commandat a command prompt, and then press ENTERsetpwd /s:servername


15/26

Windows Server

Page 15 of26

where servername is the name of the remote domain controller. 4. When you are prompted to type the passwordfor the Directory Service Restore Mode Administrator account, type the new password that you want to use.

NOTE: If you make a mistake, repeat these steps to run setpwd again. For additional information about theSetpwd.exe utility, click the article number below to view the article in the Microsoft Knowledge Base:271641 (http://support.microsoft.com/kb/271641/EN-US/) The Configure Your Server Wizard Sets Blank

Recovery PasswordBack to the topMethod 21. Log on to the computer as the administrator or a user who is a member of the Administrators group. 2. Shutdown the domain controller on which you want to change the password. 3. Restart the computer. When theselection menu screen is displayed during restar, press F8 to view advanced startup options. 4. Click theDirectory Service Restore Mode option. 5. After you log on, use one of the following methods to change thelocal Administrator password: At a command prompt, type the following command:net user administrator * Use the Local User and Groups snap-in (Lusrmgr.msc) to change the Administrator password. 6. Shut downand restart the computer. You can now use the Administrator account to log on to Recovery Console orDirectory Services Restore Mode using the new password.

For additional information about how to secure the local SAM, click the article number below to view the articlein the Microsoft Knowledge Base:223301 (http://support.microsoft.com/kb/223301/EN-US/) Protection of the Administrator Account in theOffline SAM

40) Why can't you restore a DC that was backed up 4 months ago?Because of the tombstone life which is set to only 60 days

41) What are GPOs?ANSWERGroup Policy gives you administrative control over users and computers in your network. By using GroupPolicy, you can define the state of a user's work environment once, and then rely on Windows Server 2003 tocontinually force the Group Policy settings that you apply across an entire organization or to specific groups of

users and computers.

Group Policy AdvantagesYou can assign group policy in domains, sites and organizational units.All users and computers get reflected by group policy settings in domain, site and organizational unit.No one in network has rights to change the settings of Group policy; by default only administrator has fullprivilege to change, so it is very secure.Policy settings can be removed and can further rewrite the changes.Where GPO's store Group Policy InformationGroup Policy objects store their Group Policy information in two locations:Group Policy Container: The GPC is an Active Directory object that contains GPO status, version information,WMI filter information, and a list of components that have settings in the GPO. Computers can access the GPCto locate Group Policy templates, and domain controller does not have the most recent version of the GPO,

replication occurs to obtain the latest version of the GPO.Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a domain controller.When you create GPO, Windows Server 2003 creates the corresponding GPT which contains all Group Policysettings and information, including administrative templates, security, software installation, scripts, and folderredirection settings. Computers connect to the SYSVOL folder to obtain the settings.The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you created. It isidentical to the GUID that Active Directory uses to identify the GPO in the GPC. The path to the GPT on adomain controller is systemroot\SYSVOL\sysvol.Managing GPOsTo avoid conflicts in replication, consider the selection of domain controller, especially because the GPO dataresides in SYSVOL folder and the Active Directory. Active Directory uses two independent replicationtechniques to replicate GPO data among all domain controllers in the domain. If two administrator's changes canoverwrite those made by other administrator, depends on the replication latency. By default the Group Policy

Management console uses the PDC Emulator so that all administrators can work on the same domain controller.WMI FilterWMI filters is use to get the current scope of GPOs based on attributes of the user or computer. In this way, you


16/26

Windows Server

Page 16 of26

can increase the GPOs filtering capabilities beyond the security group filtering mechanisms that were previouslyavailable.Linking can be done with WMI filter to a GPO. When you apply a GPO to the destination computer, ActiveDirectory evaluates the filter on the destination computer. A WMI filter has few queries that active Directoryevaluates in place of WMI repository of the destination computer. If the set of queries is false, Active Directorydoes not apply the GPO. If set of queries are true, Active Directory applies the GPO. You write the query by

using the WMI Query Language (WQL); this language is similar to querying SQL for WMI repository.Planning a Group Policy Strategy for the EnterpriseWhen you plan an Active Directory structure, create a plan for GPO inheritance, administration, anddeployment that provides the most efficient Group Policy management for your organization.Also consider how you will implement Group Policy for the organization. Be sure to consider the delegation ofauthority, separation of administrative duties, central versus decentralized administration, and design flexibilityso that your plan will provide for ease of use as well as administration.Planning GPOsCreate GPOs in way that provides for the simplest and most manageable design -- one in which you can useinheritance and multiple links.Guidelines for Planning GPOsApply GPO settings at the highest level: This way, you take advantage of Group Policy inheritance. Determinewhat common GPO settings for the largest container are starting with the domain and then link the GPO to this

container.Reduce the number of GPOs: You reduce the number by using multiple links instead of creating multipleidentical GPOs. Try to link a GPO to the broadest container possible level to avoid creating multiple links of thesame GPO at a deeper level.Create specialized GPOs: Use these GPOs to apply unique settings when necessary. GPOs at a higher level willnot apply the settings in these specialized GPOs.Disable computer or use configuration settings: When you create a GPO to contain settings for only one of thetwo levels-user and computer-disable the logon and prevents accidental GPO settings from being applied to theother area.

41) What is the order in which GPOs are applied?Local, Site, Domain, OUGroup Policy settings are processed in the following order:

1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored locally. Thisprocesses for both computer and user Group Policy processing.2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed next. Processingis in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site inGroup Policy Management Console (GPMC). The GPO with the lowest link order is processed last, andtherefore has the highest precedence.3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the administrator, on theLinked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processedlast, and therefore has the highest precedence.4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the Active Directoryhierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, theGPOs that are linked to the organizational unit that contains the user or computer are processed.At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked.

If several GPOs are linked to an organizational unit, their processing is in the order that is specified by theadministrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with thelowest link order is processed last, and therefore has the highest precedence.This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit ofwhich the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOsif there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)

42)Name a few benefits of using GPMC.Microsoft released the Group Policy Management Console (GPMC) years ago, which is an amazing innovationin Group Policy management. The tool provides control over Group Policy in the following manner:Easy administration of all GPOs across the entire Active Directory ForestView of all GPOs in one single listReporting of GPO settings, security, filters, delegation, etc.

Control of GPO inheritance with Block Inheritance, Enforce, and Security FilteringDelegation modelBackup and restore of GPOs


17/26

Windows Server

Page 17 of26

Migration of GPOs across different domains and forestsWith all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC is needed andshould be used by everyone for what it is ideal for. However, it does fall a bit short when you want to protect theGPOs from the following:Role based delegation of GPO managementBeing edited in production, potentially causing damage to desktops and servers

Forgetting to back up a GPO after it has been modifiedChange management of each modification to every GPO

43)What are the GPC and the GPT? Where can I find them?Group Policy Container (GPC) & Group Policy Template (GPT).

GPC part stored in the AD, so you can edit their permissions with ADUC. Enable Advanced Features in theView menu, and browse System\Policies.

GPT part stored in the file system under SYSVOL share. You can find them here:\\DomainNameHere\SYSVOL\Policies

Group Policy Template and Group Policy Container.

44)What are GPO links? What special things can I do to them?Linking GPOsTo apply the settings of a GPO to the users and computers of a domain, site, or OU, you need to add a link tothat GPO. You can add one or more GPO links to each domain, site, or OU by using GPMC. Keep in mind thatcreating and linking GPOs is a sensitive privilege that should be delegated only to administrators who aretrusted and understand Group Policy.Linking GPOs to the SiteIf you have a number of policy settings to apply to computers in a particular physical location only - certainnetwork or proxy configuration settings, for example - these settings might be appropriate for inclusion in a site-based policy. Because domains and sites are independent, it is possible that computers in the site might need to

cross domains to link the GPO to the site. In this case, make sure there is good connectivity.If, however, the settings do not clearly correspond to computers in a single site, it is better to assign the GPO tothe domain or OU structure rather than to the site.Linking GPOs to the DomainLink GPOs to the domain if you want them to apply to all users and computers in the domain. For example,security administrators often implement domain-based GPOs to enforce corporate standards. They might wantto create these GPOs with the GPMC Enforce option enabled to guarantee that no other administrator canoverride these settings.ImportantIf you need to modify some of the settings contained in the Default Domain Policy GPO, it is recommended thatyou create a new GPO for this purpose, link it to the domain, and set the Enforce option. In general, do notmodify this or the Default Domain Controller Policy GPO. If you do, be sure to back up these and any otherGPOs in your network by using GPMC to ensure you can restore them.

As the name suggests, the Default Domain Policy GPO is also linked to the domain. The Default Domain PolicyGPO is created when the first domain controller in the domain is installed and the administrator logs on for thefirst time. This GPO contains the domain-wide account policy settings, Password Policy, Account LockoutPolicy, and Kerberos Policy, which is enforced by the domain controller computers in the domain. All domaincontrollers retrieve the values of these account policy settings from the Default Domain Policy GPO. In order toapply account policies to domain accounts, these policy settings must be deployed in a GPO linked to thedomain, and it is recommended that you set these settings in the Default Domain Policy. If you set accountpolicies at a lower level, such as an OU, the settings only affect local accounts (non-domain accounts) oncomputers in that OU and its children.Before making any changes to the default GPOs, be sure to back up the GPO using GPMC. If for some reasonthere is a problem with the changes to the default GPOs and you cannot revert back to the previous or initialstates, you can use the Dcgpofix.exe tool to recreate the default policies in their initial state.Dcgpofix.exe is a command-line tool that completely restores the Default Domain Policy GPO and Default

Domain Controller GPO to their original states in the event of a disaster where you cannot use GPMC.Dcgpofix.exe restores only the policy settings that are contained in the default GPOs at the time they aregenerated. The only Group Policy extensions that include policy settings in the default GPOs are RIS, Security,


18/26

Windows Server

Page 18 of26

and EFS. Dcgpofix.exe does not restore other GPOs that administrators create; it is only intended for disasterrecovery of the default GPOs.Note that Dcgpofix.exe does not save any information created through applications, such as SMS or Exchange.The Dcgpofix.exe tool is included with Windows Server 2003 and only works in a Windows Server 2003domain.Dcgpofix.exe is located in the C:\Windows\Repair folder. The syntax for Dcgpofix.exe is as follows:

Copy CodeDCGPOFix [/Target: Domain | DC | BOTH]Table 2.1 describes the options you can use with the command line parameter /Target: when using theDcgpofix.exe tool.Table 2.1 Dcgpofix.exe Options for Using the /Target Parameter

/Targetoption:

Description ofoption

DOMAINSpecifies that the Default Domain Policy should be recreated.DCSpecifies that the Default Domain Controllers Policy should be recreated.BOTHSpecifies that both the Default Domain Policy and the Default Domain ControllersPolicy should be recreated.For more information about Dcgpofix.exe, in Help and Support Center for

Windows Server 2003 click Tools, and then click Command-line reference A-ZLinking GPOs to the OU StructureMost GPOs are normally linked to the OU structure because this provides the most flexibility andmanageability:You can move users and computers into and out of OUs.OUs can be rearranged if necessary.You can work with smaller groups of users who have common administrative requirements.You can organize users and computers based on which administrators manage them.Organizing GPOs into user- and computer-oriented GPOs can help make your Group Policy environment easierto understand and can simplify troubleshooting. However, separating the user and computer components intoseparate GPOs might require more GPOs. You can compensate for this by adjusting the GPO Status to disablethe user or computer configuration portions of the GPO that do not apply and to reduce the time required toapply a given GPO.Changing the GPO Link OrderWithin each domain, site, and OU, the link order controls the order in which GPOs are applied. To change theprecedence of a link, you can change the link order, moving each link up or down in the list to the appropriatelocation. Links with the lowest number have higher precedence for a given site, domain, or OU. For example, ifyou add six GPO links and later decide that you want the last one that you added to have the highest precedence,you can adjust the link order of the GPO link so it has link order of 1. To change the link order for GPO linksfor a domain, OU, or site, use GPMC

45)What can I do to prevent inheritance from above?You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOslinked to higher sites, domains, or organizational units from being automatically inherited by the child-level. Bydefault, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example,if you want to apply a single set of policies to an entire domain except for one organizational unit, you can linkthe required GPOs at the domain level (from which all organizational units inherit policies by default), and thenblock inheritance only on the organizational unit to which the policies should not be applied.

46)How can I override blocking of inheritance?44th question47)How can you determine what GPO was and was not applied for a user? Name a few ways to do that.Simply use the Group Policy Management Console created by MS for that very purpose, allows you to runsimulated policies on computers or users to determine what policies are enforced. Link in sourcesBy issuing following command in command prompt on client machine..Gpresult

48)A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and

everyone else there gets the GPO. What will you look for?Here interviewer want to know the troubleshooting stepswhat gpo is applying ?if it applying in all user and computer?


19/26

Windows Server

Page 19 of26

what gpo are implemented on ou?make sure user not be member of loopback policy as in loopback policy it doesn't effect user settings onlycomputer policy will applicable.if he is member of gpo filter grp or not?

You may also want to check the computers event logs. If you find event ID 1085 then you may want todownload the patch to fix this and reboot the computer.

49)Name a few differences in Vista GPOsYou might as well have asked what are the differences between a horse and buggy, a model T car, an Edsel, amuscle car and a spaceship.Be a little, no be a LOT more specific, and you'll get a better answer. Other than all five being OperatingSystems that's about all they have in common. That and they made Bill Gates the richest man in the world.50)Name some GPO settings in the computer and user parts.Group Policy Object (GPO) computer=Computer Configuration, User=User ConfigurationName some GPOsettings in the computer and user parts

51)What are administrative templates?

The GPO settings is divided between the Computer settings and the User settings. In both parts of the GPO youcan clearly see a large section called Administrative Templates.Administrative Templates are a large repository of registry-based changes (in fact, over 1300 individualsettings) that can be found in any GPO on Windows 2000, Windows XP, and Windows Server 2003.By using the Administrative Template sections of the GPO you can deploy modifications to machine (calledHKEY_LOCAL_MACHINE in the registry) and user (called HKEY_CURRENT_USER in the registry)portions of the Registry of computers that are influenced by the GPO.The Administrative Templates are Unicode-formatted text files with the extension .ADM and are used to createthe Administrative Templates portion of the user interface for the GPO Editor.55)What's the difference between software publishing and assigning?ANS An administrator can either assign or publish software applications.Assign UsersThe software application is advertised when the user logs on. It is installed when the user clicks on the software

application icon via the start menu, or accesses a file that has been associated with the software application.Assign ComputersThe software application is advertised and installed when it is safe to do so, such as when the computer is nextrestarted.Publish to usersThe software application does not appear on the start menu or desktop. This means the user may not know thatthe software is available. The software application is made available via the Add/Remove Programs option incontrol panel, or by clicking on a file that has been associated with the application. Published applications donot reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers.

56)Can I deploy non-MSI software with GPO?Yes.How to Create a Third-Party MSI Package

For this process to work properly, you should start with a clean PC.Start with a clean PC, or one that is representative of the computers in your network.Start Discover to take a picture of the representative PC's software configuration. This is the Before snapshot.Install a program on the PC on which you took the Before snapshot.Reboot the PC.Run the new program to verify that it works.Quit the program.Start Discover and take an After snapshot of the PC's new configuration. Discover compares the Before and theAfter snapshots and notes the changes. It creates a Microsoft Installer package with information about how toinstall that program on such a PC in the future.(Optional) Use Veritas Software Console to customize the Microsoft Installer package.Clean the reference computer to prepare to run Discover again.(Optional) Perform a test installation of the program on non-production workstations.

57)You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) onthe computers in one department. How would you do that?


20/26

Windows Server

Page 20 of26

Login on client as Domain Admin user change whatever you need add printers etc go to system-User profilescopy this user profile to any location by select Everyone in permitted to use after copy change ntuser.dat tontuser.man and assgin this path under user profile

(Windows Server 2008) System Administrator Interview Question and Answer Part 3August 17, 2010 by Vasim MemonLeave a Comment

Welcome reader to the 3rd

part of System Administrator Interview Questions and Answers. I hope that youmight have read before article, if not here is the linkhttp://systadmin.wordpress.com/2009/03/19/systadmin-int-quest-part1-html/http://systadmin.wordpress.com/2009/05/07/system-administrator-interview-question-with-answers-part-2/http://systadmin.wordpress.com/2010/01/07/dns-interview-questions-and-answers/http://systadmin.wordpress.com/2010/05/30/common-windows-system-network-administrator-questions-with-answers-2/What is Active Directory Domain Services 2008?Active Directory Domain Services (AD DS), formerly known as Active Directory Directory Services, is thecentral location for configuration information, authentication requests, and information about all of the objectsthat are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups,printers, applications, and other directory-enabled objects from one secure, centralized location.What is the SYSVOL folder?

The Sysvol folder on a Windows domain controller is used to replicate file-based data among domaincontrollers. Because junctions are used within the Sysvol folder structure, Windows NT file system (NTFS)version 5.0 is required on domain controllers throughout a Windows distributed file system (DFS) forest.This is a quote from microsoft themselves, basically the domain controller info stored in files like your grouppolicy stuff is replicated through this folder structureWhats New in Windows Server 2008 Active Directory Domain Services?Active Directory Domain Services in Windows Server 2008 provides a number of enhancements over previousversions, including these:AuditingAD DS auditing has been enhanced significantly in Windows Server 2008. The enhancementsprovide more granular auditing capabilities through four new auditing categories: Directory Services Access,Directory Services Changes, Directory Services Replication, and Detailed Directory Services Replication.Additionally, auditing now provides the capability to log old and new values of an attribute when a successfulchange is made to that attribute.

Fine-Grained Password PoliciesAD DS in Windows Server 2008 now provides the capability to createdifferent password and account lockout policies for different sets of users in a domain. User and group passwordand account lockout policies are defined and applied via a Password Setting Object (PSO). A PSO has attributesfor all the settings that can be defined in the Default Domain Policy, except Kerberos settings. PSOs can beapplied to both users and groups.Read-Only Domain ControllersAD DS in Windows Server 2008 introduces a new type of domain controllercalled a read-only domain controller (RODC). RODCs contain a read-only copy of the AD DS database.RODCs are covered in more detail in Chapter 6, Manage Sites and Replication.Restartable Active Directory Domain ServicesAD DS in Windows Server 2008 can now be stopped andrestarted through MMC snap-ins and the command line. The restartable AD DS service reduces the timerequired to perform certain maintenance and restore operations. Additionally, other services running on theserver remain available to satisfy client requests while AD DS is stopped.AD DS Database Mounting ToolAD DS in Windows Server 2008 comes with a AD DS database mounting

tool, which provides a means to compare data as it exists in snapshots or backups taken at different times. TheAD DS database mounting eliminates the need to restore multiple backups to compare the AD data that theycontain and provides the capability to examine any change made to data stored in AD DS.What is the Global Catalog?A global catalog server is a domain controller. It is a master searchable database that contains information aboutevery object in every domain in a forest. The global catalog contains a complete replica of all objects in ActiveDirectory for its host domain, and contains a partial replica of all objects in Active Directory for every otherdomain in the forest.It has two important functions:Provides group membership information during logon and authenticationHelps users locate resources in Active DirectoryWhat are RODCs? And what are the major benefits of using RODCs?A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008

operating system. With an RODC, organizations can easily deploy a domain controller in locations wherephysical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory DomainServices (AD DS) database.


21/26

Windows Server

Page 21 of26

Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a widearea network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branchoffices often cannot provide the adequate physical security that is required for a writable domain controller.Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This canincrease the amount of time that is required to log on. It can also hamper access to network resources.Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a

result, users in this situation can receive the following benefits:* Improved security* Faster logon times* More efficient access to resources on the networkWhat does an RODC do?Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides away to deploy a domain controller more securely in locations that require fast and reliable authenticationservices but cannot ensure physical security for a writable domain controller.However, your organization may also choose to deploy an RODC for special administrative requirements. Forexample, a line-of-business (LOB) application may run successfully only if it is installed on a domain controller.Or, the domain controller might be the only server in the branch office, and it may have to host serverapplications.In such cases, the LOB application owner must often log on to the domain controller interactively or use

Terminal Services to configure and manage the application. This situation creates a security risk that may beunacceptable on a writable domain controller.An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can granta nonadministrative domain user the right to log on to an RODC while minimizing the security risk to theActive Directory forest.You might also deploy an RODC in other scenarios where local storage of all domain user passwords is aprimary threat, for example, in an extranet or application-facing role.What is REPADMIN?Repadmin.exe: Replication Diagnostics ToolThis command-line tool assists administrators in diagnosing replication problems between Windows domaincontrollers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom andRepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually

create the replication topology (although in normal practice this should not be necessary), to force replicationevents between domain controllers, and to view both the replication metadata and up-to-dateness vectors.Repadmin.exe can also be used for monitoring the relative health of an Active Directory forest. The operationsreplsummary, showrepl, showrepl /csv, and showvector /latency can be used to check for replication problems.What is NETDOM?NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It isused for batch management of trusts, joining computers to domains, verifying trusts, and secure channels

system administrator interview question with answer Part -1March 19, 2009 by Vasim MemonLeave a CommentKCCThe KCC is a built-in process that runs on all domain controllers and generates replication topology for theActive Directory forest. The KCC creates separate replication topologies depending on whether replication is

occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology toaccommodate new domain controllers, domain controllers moved to and from sites, changing costs andschedules, and domain controllers that are temporarily unavailable.How do you view replication properties for AD?By using Active Directory Replication Monitor.Start> Run> ReplmonWhat are sites What are they used for?One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configureActive Directory access and replication topology to take advantage of the physical network.Name some OU design considerations?OU design requires balancing requirements for delegating administrative rights indepen