Term
| What is Active Directory? |
|
Definition
| Active Directory is a database based system that provides authentication, directory, policy, and other services in a Windows environment |
|
|
Term
| What is the SYSVOL folder? |
|
Definition
| The sysVOL folder stores the server's copy of the domain's public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain. |
|
|
Term
|
Definition
| A Site object in Active Directory represents a geographic location that hosts networks. |
|
|
Term
| Which is the command used to remove active directory from a domain controller? |
|
Definition
|
|
Term
| What is multimaster replication? |
|
Definition
| A method of database replication which allows data to be stored by a group of computers, and updated by any member of the group. All members are responsive to client data queries. The multi-master replication system is responsible for propagating the data modifications made by each member to the rest of the group, and resolving any conflicts that might arise between concurrent changes made by different members. |
|
|
Term
|
Definition
| Group Policy gives you administrative control over users and computers in your network. By using Group Policy, you can define the state of a user's work environment once, and then rely on Windows Server 2003 to continually force the Group Policy settings that you apply across an entire organization or to specific groups of users and computers. |
|
|
Term
| What is the order in which GPOs are applied? |
|
Definition
|
|
Term
| What are GPO links? What special things can I do to them? |
|
Definition
| To apply the settings of a GPO to the users and computers of a domain, site, or OU, you need to add a link to that GPO. You can add one or more GPO links to each domain, site, or OU by using GPMC. Keep in mind that creating and linking GPOs is a sensitive privilege that should be delegated only to administrators who are trusted and understand Group Policy. |
|
|
Term
|
Definition
| LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP. |
|
|
Term
| What are the physical & logical components of ADS? |
|
Definition
| The physical component of Active directory contain all the physical subnet present in your network like domain contollers and replication between domain contollers. |
|
|
Term
| What is a global catalog server? |
|
Definition
| The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. |
|
|
Term
| What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog? |
|
Definition
| SMTP-25, POP3-110, IMAP4-143, RPC-135, LDAP-389, Global Catalog-3268 |
|
|
Term
| What is the file that’s responsible for keeping all Active Directory databases? |
|
Definition
|
|
Term
| What are the FSMO roles? Who has them by default? What happens when each one fails? |
|
Definition
| There are just five operations where the usual multiple master model breaks down, and the Active Directory task must only be carried out on one Domain Controller. FSMO roles: PDC Emulator - Most famous for backwards compatibility with NT 4.0 BDC's. However, there are two other FSMO roles which operate even in Windows 2003 Native Domains, synchronizing the W32Time service and creating group policies. I admit that it is confusing that these two jobs have little to do with PDCs and BDCs. RID Master - Each object must have a globally unique number (GUID). The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers. For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 - 9999. Infrastructure Master - Responsible for checking objects in other other domains. Universal group membership is the most important example. To me, it seems as though the operating system is paranoid that, a) You are a member of a Universal Group in another domain and b) that group has been assigned Deny permissions. So if the Infrastructure master could not check your Universal Groups there could be a security breach. Domain Naming Master - Ensures that each child domain has a unique name. How often do child domains get added to the forest? Not very often I suggest, so the fact that this is a FSMO does not impact on normal domain activity. My point is it's worth the price to confine joining and leaving the domain operations to one machine, and save the tiny risk of getting duplicate names or orphaned domains. Schema Master - Operations that involve expanding user properties e.g. Exchange 2003 / forestprep which adds mailbox properties to users. Rather like the Domain naming master, changing the schema is a rare event. However if you have a team of Schema Administrators all experimenting with object properties, you would not want there to be a mistake which crippled your forest. So its a case of Microsoft know best, the Schema Master should be a Single Master Operation and thus a FSMO role. |
|
|
Term
| What are the DS* commands? |
|
Definition
| New DS built-in tools for Windows Server 2003 The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet. |
|
|
Term
|
Definition
| Backing up Active Directory is essential to maintain an Active Directory database. You can back up Active Directory by using the Graphical User Interface (GUI) and command-line tools that the Windows Server 2003 family provides. You frequently backup the system state data on domain controllers so that you can restore the most current data. By establishing a regular backup schedule, you have a better chance of recovering data when necessary. To ensure a good backup includes at least the system state data and contents of the system disk, you must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any backup older than 60 days is not a good backup. Plan to backup at least two domain controllers in each domain, one of at least one backup to enable an authoritative restore of the data when necessary |
|
|
Term
|
Definition
| In Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures. You must restore the Active Directory database when objects in Active Directory are changed or deleted. Active Directory restore can be performed in several ways. Replication synchronizes the latest changes from every other replication partner. Once the replication is finished each partner has an updated version of Active Directory. There is another way to get these latest updates by Backup utility to restore replicated data from a backup copy. For this restore you don't need to configure again your domain controller or no need to install the operating system from scratch. You can use one of the three methods to restore Active Directory from backup media: primary restore, normal (non authoritative) restore, and authoritative restore. Primary restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup. Members of Administrators group can perform the primary restore on local computer, or user should have been delegated with this responsibility to perform restore. On a domain controller only Domain Admins can perform this restore. Normal restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state. Authoritative restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain. Perform an authoritative restore individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that you use to mark Active Directory objects as authoritative so that they receive a higher version recently changed data on other domain controllers does not overwrite system state data during replication. |
|
|
Term
| What is tombstone lifetime attribute? |
|
Definition
| The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC |
|
|
Term
|
Definition
| knowledge consistency checker- it generates the replication topology by specifying what domain controllers will replicate to which other domain controllers in the site. The KCC maintains a list of connections, called a replication topology, to other domain controllers in the site. |
|
|
Term
| What is the default domain functional level in Windows Server 2003? |
|
Definition
|
|
Term
| What must be done to an AD forest before Exchange can be deployed? |
|
Definition
|
|
Term
|
Definition
| A fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the Internet. The FQDN consists of two parts: the hostname and the domain name. For example, an FQDN for a hypothetical mail server might be mymail.somecollege.edu. The hostname is mymail, and the host is located within the domain somecollege.edu. |
|
|
Term
| How does an Authoritative Restore differ from non-Authoritative Restore? |
|
Definition
A nonauthoritative restore is the default method for restoring Active Directory. To perform a nonauthoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller. An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. If you do not want to replicate the changes that have been made subsequent to the last backup operation, you must perform an authoritative restore. In this one needs to stop the inbound replication first before performing the An authoritative restore. |
|
|
Term
| What is RODC? Why do we configure RODC? |
|
Definition
| A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database. |
|
|
Term
| What are the tools used to check and troubleshoot replication of Active Directory? |
|
Definition
Repadmin is a command-line tool that report failures on a replication link between two replication partners. Dcdiag is a command-line tool that can check the DNS registration of a domain controller, check to see that the security descriptors (SIDs) on the naming context heads have appropriate permissions for replication, analyze the state of domain controllers in a forest or enterprise, and more. The following dcdiag example checks for any replication errors between domain controllers:
|
|
|
Term
| What is the use of Kerberos in Active Directory? Which port is used for Kerberos communication? |
|
Definition
| is a computer network authentication protocol which works on the basis of "tickets" to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography by utilizing asymmetric key cryptography during certain phases of authentication.[1] Kerberos uses port 88 by default. |
|
|
Term
| What are Intersite and Intrasite replication? |
|
Definition
| Intra-site replication refers to replication between domain controllers in the same site whereas Inter-site replication refers to replication between DCs belonging to different sites. |
|
|
Term
| Give me brief explanation of different types of Active Directory trusts. |
|
Definition
Communication between domains occurs through trusts. Trusts are authentication pipelines that must be present in order for users in one domain to access resources in another domain. Two default trusts are created when using the Active Directory Installation Wizard. There are four other types of trusts that can be created using the New Trust Wizard or the Netdom command-line tool. Examples are external, realm, forest and shortcut.
|
|
|
Term
| What is the use of ADSIEDIT? How do we install it in Windows Server 2003 AD? |
|
Definition
| Active Directory® Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit.msc) provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap-ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema. |
|
|
Term
| Name few differences from Windows Server 2003 AD and Windows Server 2008 AD. |
|
Definition
2008 is combination of vista and windows 2003r2. Some new services are introduced in it
1. RODC one new domain controller introduced in it
[Read-only Domain controllers.]
2. WDS (windows deployment services) instead of RIS in 2003 server
3. shadow copy for each and every folders
4.boot sequence is changed
5.installation is 32 bit where as 2003 it is 16 as well as 32 bit, that's why installation of 2008 is faster
6.services are known as role in it
7. Group policy editor is a separate option in ads |
|
|
Term
| Tell me few uses of NTDSUTIL commands? |
|
Definition
| Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators. |
|
|
Term
| Tell me Different between online and offline defragmentation. |
|
Definition
Active Directory automatically performs online defragmentation of the database at certain intervals (by default, every 12 hours) as part of the Garbage Collection process. Online defragmentation does not reduce the size of the database file (Ntds.dit), but instead optimizes data storage in the database and reclaims space in the directory for new objects.
Performing an offline defragmentation creates a new, compacted version of the database file. Depending on how fragmented the original database file was, the new file may be considerably smaller. |
|
|
Term
| What are the services required for Active Directory replication? |
|
Definition
Active Directory replication topology has the following dependencies:
Routable IP infrastructure. The replication topology is dependent upon a routable IP infrastructure from which you can map IP subnet address ranges to site objects. This mapping generates the information that is used by client workstations to communicate with domain controllers that are close by, when there is a choice, rather than those that are located across WAN links.
DNS. The Domain Name System (DNS) resolves DNS names to IP addresses. Active Directory replication topology requires that DNS is properly designed and deployed so that domain controllers can correctly resolve the DNS names of replication partners.
DNS also stores service (SRV) resource records that provide site affinity information to clients searching for domain controllers, including domain controllers that are searching for replication partners. Every domain controller registers these records so that they can be located according to site.
Net Logon service. Net Logon is required for DNS registrations.
RPC. Active Directory replication requires IP connectivity and RPC to transfer updates between replication partners within sites. RPC is required for replication between two sites containing domain controllers in the same domain, but SMTP is an alternative where RPC cannot be used and domain controllers for the same domain are all located in one site so that intersite replication of domain data is not required.
Intersite Messaging. Intersite Messaging is required for SMTP intersite replication and for site coverage calculations. If the forest functional level is Windows 2000, Intersite Messaging is also required for intersite topology generation.
|
|
|
Term
| What is NETDOM command line tool used for? |
|
Definition
NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels |
|
|
