0% found this document useful (0 votes)

243 views66 pages

Interview Q and A 2

Uploaded by

Harilal Chotara

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

243 views66 pages

Interview Q and A 2

Uploaded by

Harilal Chotara

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 66

Windows 2008 R2 Questions

DNS questions

DHCP questions

OPS Manager questions

Soft skill questions

Active Directory questions

1. What is Active Directory?

Active Directory is a network-based object store and service that locates and manages resources, and makes these
resources available to authorized users and groups. An underlying principle of the Active Directory is that
everything is considered an object²people, servers, workstations, printers, documents, and devices. Each object has
certain attributes and its own security access control list (ACL).

2. What is LDAP?

"LDAP is a client-server protocol for accessing a directory service. It was initially used as a front-
end to X.500, but can also be used with stand-alone and other kinds of directory servers."

LDAP lets you "locate organizations, individuals, and other resources such as files and devices in
a network, whether on the Internet or on a corporate intranet," and whether or not you know the
domain name, IP address, or geographic whereabouts. An LDAP directory can be distributed
among many servers on a network, then replicated and synchronized regularly. An LDAP server
is also known as a Directory System Agent (DSA).

LDAP (Lightweight Directory Access Protocol) is a software protocolfor enabling anyone to locate
organizations, individuals, and other resources such as files and devices in a network, whether
on the public Internetor on a corporate intranet. LDAP is a "lightweight" (smaller amount of
code) version of Directory Access Protocol (DAP), which is part of X.500, a standard for
directoryservices in a network. LDAP is lighter because in its initial version it did not include
security features

An LDAP directory is organized in a simple "tree" hierarchy consisting of the following

levels:

 The root directory (the starting place or the source of the tree), which branches out to
 Countries, each of which branches out to
 Organizations, which branch out to
 Organizational units (divisions, departments, and so forth), which branches out to
(includes an entry for)
 Individuals (which includes people, files, and shared resources such as printers)

3. Where is the AD database held? What other folders are related to AD?

Default location %systemroot%\NTDS

Ntds.dit — Active Directory database

Edb*.log — Transaction log files
Edb.chk — Checkpoint file to check data
not yet written to database
Res*.log — Reserved transaction log files
(10MB each to reserve space in case disk
fills up)

System State

Includes everything that AD depends on, not just database files

Database and log files
SYSVOL shared folder
Registry
System startup files
Class registration database
Certificate Services database

4. Talk about all the AD-related roles in Windows Server 2008/R2.

Flexibility Schema Operations Master (FSMO) Roles in 2008 Server

As we are all aware that certain tasks needs to be performed by single one, so as far AD 2008
goes some tasks are performed by single domain controller and they jointly called as FSMO
roles.

There are five roles:

They are further classified in two

1. Forest Roles
 Schema Master - As name suggests, the changes that are made while creation of any
object in AD or changes in attributes will be made by single domain controller and then it
will be replicated to another domain controllers that are present in your environment.
There is no corruption of AD schema if all the domain controllers try to make changes.
This is one of the very important roles in FSMO roles infrastructure.
 Domain Naming Master - This role is not used very often, only when you add/remove
any domain controllers. This role ensures that there is a unique name of domain
controllers in environment.

2. Domain Roles
 Infrastructure Master - This role checks domain for changes to any objects. If any
changes are found then it will replicate to another domain controller.
 RID Master - This role is responsible for making sure each security principle has a
different identifier.
 PDC emulator - This role is responsible for Account policies such as client password
changes and time synchronization in the domain

Where these roles are configured?

1. Domain wide roles are configured in Active Directory users and computers. Right click
and select domain and here option is operations master.
2. Forest roles Domain Naming master is configured in active directory domain and trust
right click and select operations master. It will let you know the roles.
3. (c)Forest roles Schema Master is not accessible from any tool as they want to prevent
this. Editing schema can create serious problem in active directory environment. To gain
access you need to create snap-in and register dll file by regsvr32 schmmgmt.dll.

Seizing of Roles
In case of failures of any server you need to seize the roles. This is how it can be done:

For Schema Master:

Go to cmd prompt and type ntdsutil

1. Ntdsutil: prompt type roles to enter fsmo maintenance.

2. Fsmo maintenance: prompt type connections to enter server connections.
3. Server connections: prompt, type connect to server domain controller, where
Domain controller is the name of the domain controller to which you are going to transfer
the role
4. Server connections: prompt, type quit to enter fsmo maintenance.
5. Fsmo maintenance: prompt, type seize schema master.
After you have Seize the role, type quit to exit NTDSUtil.

For Domain Naming Master:

Go to cmd prompt and type ntdsutil

1. Ntdsutil: prompt type roles to enter fsmo maintenance.

After you have Seize the role, type quit to exit NTDSUtil.

For Infrastructure Master Role:

Go to cmd prompt and type ntdsutil

1. Ntdsutil: prompt type roles to enter fsmo maintenance.

After you have Seize the role, type quit to exit NTDSUtil.

For RID Master Role:

Go to cmd prompt and type ntdsutil

1. Ntdsutil: prompt type roles to enter fsmo maintenance.

After you have Seize the role, type quit to exit NTDSUtil.

For PDC Emulator Role:

Go to cmd prompt and type ntdsutil

1. Ntdsutil: prompt type roles to enter fsmo maintenance.

After you have Seize the role, type quit to exit NTDSUtil.

5. What are the new Domain and Forest Functional Levels in Windows
Server 2008/R2?
Windows Server 2008 R2 was released in August, and it introduced new functional levels for Active Directory. This
article takes a look back at the different functional levels of the past and what is new in the latest release of the server
operating system for Active Directory (yes, a recycle bin for AD objects!).

Functional levels were first introduced when Active Directory made its appearance in Windows 2000 Server. They
allowed you to run different versions of domain controllers in your environment, and when all the domain controllers
were brought up to a certain version of Windows, you could raise the functional levels to gain the added features of
that operating system version. Now that Windows 2008 R2 is released, it is unlikely that you will mass deploy this
new operating system to your entire forest or domain. Instead, you’ll deploy a single domain controller and kick the
tires, so to speak. The time will eventually come when you’ve upgraded every domain controller to R2, and at that
point you can raise the functional level to 2008 R2 to take advantage of the new features.

Functional levels can be raised in domains or, as of Windows 2003 Server, in the forest, providing different features
in each. They are differentiated by labeling them Domain Functional Level and Forest Functional Level.

What’s new in 2008 R2

Domain Functional Level

There are two features added when raising the domain functional level to 2008 R2. They are Authentication
Mechanism Assurance and Automatic SPN Management.

Authentication mechanism assurance is meant for domains that utilize federation services (ADFS) or certificate-
based authentication methods, such as smart card or token-based authentication. This mechanism adds information
to the user’s kerberos token on the type of authentication used. This allows administrators to modify group
membership based on how the user authenticates. For example, a user can have access to different resources if they
log in with a certificate versus when they log in with just their username and password.

Automatic SPN management provides a method for managing service accounts for applications such as Exchange,
SQL and IIS. In the past, regular domain accounts were used for these purposes, adding management headaches in
terms of password management and service principle names (SPNs). This new feature provides the following
benefits:
 A class of domain accounts can be used to manage and maintain services on local computers.
 Passwords for these accounts will be reset automatically.
 Do not have to complete complex SPN management tasks to use managed service accounts.
 Administrative tasks for managed service accounts can be delegated to non-administrators.

Forest Functional Level

There is one new feature in raising the forest functional level to Server 2008 R2, and it is long overdue. It is the Active
Directory recycle bin. In the days of old, when an IT administrator or help desk operator accidentally deleted an OU
filled with user or computer objects (this has happened more times than you would think), there would be a scramble
to perform a restore. The delete replicates to all domain controllers, so an authoritative restore in Active Directory
restore mode from a good backup using NTDSutil would be in order. With 2008 R2 forest functional level, a
powershell cmd-let will undo this instantly.

Note that this feature is not enabled automatically when raising forest functional level. Additionally, you must run the
following command in the Active Directory Module for Powershell.

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional

Features,CN=Directory
Service,CN=Windows NT,CN=Services,CN=Configuration, DC=mydomain,DC=com’
–Scope ForestOrConfigurationSet –Target ‘mydomain.com’

Functional levels of previous version

The following are the previous functional levels and what features they added, as documented in Technet.

Domain Functional Levels:

Windows 2000 Native:

 Universal groups are enabled for both distribution groups and security groups.
 Group nesting.
 Group conversion is enabled, which makes conversion between security groups and distribution groups
possible.
 Security identifier (SID) history.

Windows Server 2003

 The availability of the domain management tool, Netdom.exe, to prepare for domain controller rename.
 Update of the logon time stamp. The lastLogonTimestamp attribute will be updated with the last logon
time of the user or computer. This attribute is replicated within the domain.
 The ability to set the userPassword attribute as the effective password on inetOrgPerson and user
objects.
 The ability to redirect Users and Computers containers. By default, two well-known containers are provided
for housing computer and user/group accounts: namely, cn=Computers, and cn=Users,. This feature
makes possible the definition of a new well-known location for these accounts.
 Makes it possible for Authorization Manager to store its authorization policies in Active Directory Domain
Services (AD DS).
 Includes constrained delegation so that applications can take advantage of the secure delegation of user
credentials by means of the Kerberos authentication protocol. Delegation can be configured to be allowed
only to specific destination services.
 Supports selective authentication, through which it is possible to specify the users and groups from a trusted
forest who are allowed to authenticate to resource servers in a trusting forest.

Windows Server 2008

 Distributed File System (DFS) Replication support for SYSVOL, which provides more robust and detailed
replication of SYSVOL contents.
 Advanced Encryption Services (AES 128 and 256) support for the Kerberos authentication protocol.
 Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user,
from what workstation, and the number of failed logon attempts since the last logon.
 Fine-grained password policies (FGPP), which make it possible for password and account lockout policies to
be specified for users and global security groups in a domain.

Forest Functional Levels:

Windows 2000:

There were no forest functional levels, just domain.

Windows Server 2003:

 Forest trust.
 Domain rename.
 Linked-value replication (changes in group membership store and replicate values for individual members
instead of replicating the entire membership as a single unit). This change results in lower network
bandwidth and processor usage during replication and eliminates the possibility of lost updates when
different members are added or removed concurrently at different domain controllers.
 The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008.
 Improved Knowledge Consistency Checker (KCC) algorithms and scalability. The Intersite Topology
Generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than
can be supported at the Windows 2000 forest functional level. The improved ISTG election algorithm is a
less intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level.
 An improved ISTG algorithm (better scaling of the algorithm that the ISTG uses to connect all sites in the
forest).
 The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory
partition.
 The ability to convert an inetOrgPerson object instance into a User object instance, and the reverse.
 The ability to create instances of the new group types, called application basic groups and Lightweight
Directory Access Protocol (LDAP) query groups, to support role-based authorization.
 Deactivation and redefinition of attributes and classes in the schema.

Windows Server 2008:

No forest functional level changes occurred from Windows 2003 to Windows 2008.
6. What is the SYSVOL folder?
The Sysvol folder on a Windows domain controller is used to replicate file-based data among
domain controllers. Because junctions are used within the Sysvol folder structure, Windows NT
file system (NTFS) version 5.0 is required on domain controllers throughout a Windows
distributed file system (DFS) forest.

This is a quote from microsoft themselves, basically the domain controller info stored in files like
your group policy stuff is replicated through this folder structure

7. What are the AD naming contexts (partitions)s and replication issues

for each NC?

Active Directory NC (Naming Context's)

 Active Directory consists of three partitions or naming contexts (NC)

o Domain, Configuration and Schema Naming Contexts
 Each are replicated independently
 An Active Directory forest has single schema and configuration
o Every domain controller (DC) holds a copy of each (schema, configuration NC's)
 Forest can have multiple domains
o Every domain controller in a domain holds a copy of the domain NC

8. What are application partitions?

Active Directory supports application directory partitions. Typically, data in a given application directory
partition is managed through the application that created it or that uses it. Application directory
partitions provide the ability to control the scope of replication and allow the placement of replicas in a
manner more suitable for dynamic data. As a result, the application directory partition provides the
capability of hosting dynamic data in Active Directory, thus allowing ADSI/LDAP access to it, without
significantly impacting network performance. Application directory partitions hold the data that is used
by applications. An application directory partition can contain a hierarchy of any type of objects, except
security principals, and can be configured to replicate to any set of domain controllers in the forest.
Unlike a domain partition, an application directory partition is not required to replicate to all domain
controllers in a domain and the partition can replicate to domain controllers in different domains of the
forest.
As an example of application partition, if you use a Domain Name System (DNS) that is integrated with
Active Directory you have two application partitions for DNS zones — ForestDNSZones and
DomainDNSZones
9. What applications or services use AD application partitions? Name a
couple.

Application directory partitions are usually created by the applications that will use them to store and
replicate data. TAPI is an example it. For testing and troubleshooting purposes, members of the
Enterprise Admins group can manually create or manage application directory partitions using the
Ntdsutil command-line tool.

10.How do you create a new application partition?

Application directory partitions are usually created by the applications that will use them to
store and replicate data. TAPI is an example it. For testing and troubleshooting purposes,
members of the Enterprise Admins group can manually create or manage application directory
partitions using the Ntdsutil command-line tool.

11.What are the requirements for installing AD on a new server?

An NTFS partition with enough free space (250MB minimum)

· An Administrator's username and password

· The correct operating system version

· A NIC

· Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway)

· A network connection (to a hub or to another computer via a crossover cable)

· An operational DNS server (which can be installed on the DC itself)

· A Domain name that you want to use

12.What can you do to promote a server to DC if you're in a remote

location with slow WANlink?

Take a System State Backup from another DC and restore locally to the server that are
going to be the next Domain Controller. Run DCPromo /adv which will prompt in the
next screen to specify the path to restore the System Backup. This will prevent
replication of the entire configuration over the slow network.
13.How do you view replication properties for AD partitions and DCs?

By using replication monitor

go to start > run > type repadmin

go to start > run > type replmon

14.What is the Global Catalog?

The GC is a special form of a Windows 2000 domain controller (DC) that holds a complete set of objects
(i.e., user accounts, contacts, distribution groups, and configuration data) from all domains in a Win2K
forest. The GC stores read-only partial copies of objects from other domains alongside read/write full
copies of objects from the GC's home domain. Partial copies include the important attributes of an
Exchange mailbox (e.g., email address, phone numbers) but not all the mailbox attributes. In a single-
domain implementation, all DCs are effectively GCs, but single-domain implementations are unusual in
large, distributed enterprises. GCs come into their own in large enterprises.

15.How do you view all the GCs in the forest?

C:\>repadmin /showreps
domain_controller

OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.

To find the in GC from the command line you can try using DSQUERY command.
dsquery server -isgc to find all the gc's in the forest
you can try dsquery server -forest -isgc.

16.Why not make all DCs in a large forest as GCs?

There can be only one GC. If we make all DCs as GC then

There will be huge amount network traffic which can choke the network
There will be problems in replications
There will be issues in consistency of objects in the forest
There would be issues in authentications
There will be chances of duplicate objects in the domains
That is why there is only ONE GC per forest which has all the info about the objects groups etc.
17.Talk about GCs and Universal Groups.

18.Describe the time synchronization mechanism in AD.

the serverthat holds the primarydomain controller (PDC) emulator role acts as the default time
source foryour entire network.

Each workstation and server in this network will try tolocate a time source for synchronization.
Using an internal algorithm designedto reduce network traffic, systems will make up to six
attempts to find a timesource. Here's a look at the order of these attempts:

 Parent domain controller (on-site)

 Local domain controller (on-site)
 Local PDC emulator (on-site)
 Parent domain controller (off-site)
 Local domain controller (off-site)
 Local PDC emulator (off-site)

To ensure that your servers are finding the proper time, youmust configure your PDC emulator to
receive the time from a valid and accuratetime source. To configure this role, follow these steps:

1. Log on to the domain controller.

2. Enter the following at the command line:

W32tm /config /manualpeerlist:<timeserver> /syncfromflags:manual

<timeserver>is a space-delimited list of DNS and/or IP addresses. When specifying multiple

timeservers, enclose the list in quotation marks.

3. Update the Windows Time Service configuration. At the command line, you can either
enter W32tm /config /update, or you can enter the following:

Net stop w32timeNet start w32time

19. What is ADSIEDIT? What is NETDOM? What is REPADMIN?

20. LDP : Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is
not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for
establishing a full mesh of LSPs between all of the routers on the network.
Replmon : Replmon displays information about Active Directory Replication.
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor
for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for
common administrative tasks such as adding, deleting, and moving objects with a directory service. The
attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application
programming interfaces (APIs) to access Active Directory. The following are the required files for using
this tool: ADSIEDIT.DLL
ADSIEDIT.MSCNETDOM : NETDOM is a command-line tool that allows management of Windows
domains and trust relationships. It is used for batch management of trusts, joining computers to
domains, verifying trusts, and secure channels.

REPADMIN :
This command-line tool assists administrators in diagnosing replication problems between Windows
domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred
to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin
can be used to manually create the replication topology (although in normal practice this should not be
necessary), to force replication events between domain controllers, and to view both the replication
metadata and up-to-dateness vectors.

21.What is DCDIAG? When would you use it?

This command-line tool analyzes the state of one or all domain controllers in a forest and reports any
problems to assist in troubleshooting. DCDiag.exe consists of a variety of tests that can be run individually
or as part of a suite to verify domain controller health.

22.What are sites? What are they used for?

One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows
administrators to configure Active Directory access and replication topology to take advantage of
the physical network.

B: A Site object in Active Directory represents a physical geographic location that hosts
networks. Sites contain objects called Subnets.[3] Sites can be used to Assign Group Policy
Objects, facilitate the discovery of resources, manage active directory replication, and manage
network link traffic. Sites can be linked to other Sites. Site-linked objects may be assigned a cost
value that represents the speed, reliability, availability, or other real property of a physical
resource. Site Links may also be assigned a schedule.
23.What's the difference between a site link's schedule and interval?
Schedule enables you to list weekdays or hours when the site link is available for replication to
happen in the give interval. Interval is the re occurrence of the inter site replication in given
minutes. It ranges from 15 - 10,080 mins. The default interval is 180 mins.

24.What is the KCC?

With in a Site, a Windows server 2003 service known as the KCC automatically
generates a topology for replication among the domain controllers in the domain
using a ring structure.Th Kcc is a built in process that runs on all domain
controllers.

The KCC analyzes the replication topology within a site every 15 minute to
ensure that it still works. If you add or remove a domain controller from the
network or a site, the KCC reconfigures the topology to relect the change.

25.What is the ISTG? Who has that role by default?

Intersite Topology Generator (ISTG), which is responsible for the connections among the sites.
By default Windows 2003 Forest level functionality has this role.
By Default the first Server has this role. If that server can no longer preform this role then the
next server with the highest GUID then takes over the role of ISTG.

26.Talk about sites and GCs.

27.Talk about sites and Exchange Server 2007/2010.

28.What is GPO?

In the Windows 2000 operating system, a Group Policy Object (GPO) is a collection of settings that
define what a system will look like and how it will behave for a defined group of users. Microsoft
provides a program snap-in that allows you to use the Group Policy Microsoft Management Console
(MMC). The selections result in a Group Policy Object. The GPO is associated with selected Active
Directory containers, such as sites, domains, or organizational units (OUs). The MMC allows you to
create a GPO that defines registry-based polices, security options, software installation and maintenance
options, scripts options, and folder redirection options.

Group Policy gives you administrative control over users and computers in your network. By
using Group Policy, you can define the state of a user's work environment once, and then rely on
Windows Server 2003 to continually force the Group Policy settings that you apply across an
entire organization or to specific groups of users and computers.

Group Policy Advantages

You can assign group policy in domains, sites and organizational units.
All users and computers get reflected by group policy settings in domain, site and organizational
unit.
No one in network has rights to change the settings of Group policy; by default only
administrator has full privilege to change, so it is very secure.
Policy settings can be removed and can further rewrite the changes.
Where GPO's store Group Policy Information
Group Policy objects store their Group Policy information in two locations:

Group Policy Container: The GPC is an Active Directory object that contains GPO status,
version information, WMI filter information, and a list of components that have settings in the
GPO. Computers can access the GPC to locate Group Policy templates, and domain controller
does not have the most recent version of the GPO, replication occurs to obtain the latest version
of the GPO.
Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a
domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT
which contains all Group Policy settings and information, including administrative templates,
security, software installation, scripts, and folder redirection settings. Computers connect to the
SYSVOL folder to obtain the settings.
The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you
created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC.
The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol.
Managing GPOs
To avoid conflicts in replication, consider the selection of domain controller, especially because
the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two
independent replication techniques to replicate GPO data among all domain controllers in the
domain. If two administrator's changes can overwrite those made by other administrator, depends
on the replication latency. By default the Group Policy Management console uses the PDC
Emulator so that all administrators can work on the same domain controller.

WMI Filter
WMI filters is use to get the current scope of GPOs based on attributes of the user or computer.
In this way, you can increase the GPOs filtering capabilities beyond the security group filtering
mechanisms that were previously available.
Linking can be done with WMI filter to a GPO. When you apply a GPO to the destination
computer, Active Directory evaluates the filter on the destination computer. A WMI filter has
few queries that active Directory evaluates in place of WMI repository of the destination
computer. If the set of queries is false, Active Directory does not apply the GPO. If set of queries
are true, Active Directory applies the GPO. You write the query by using the WMI Query
Language (WQL); this language is similar to querying SQL for WMI repository.

Planning a Group Policy Strategy for the Enterprise

When you plan an Active Directory structure, create a plan for GPO inheritance, administration,
and deployment that provides the most efficient Group Policy management for your
organization.

Also consider how you will implement Group Policy for the organization. Be sure to consider the
delegation of authority, separation of administrative duties, central versus decentralized
administration, and design flexibility so that your plan will provide for ease of use as well as
administration.

Planning GPOs
Create GPOs in way that provides for the simplest and most manageable design -- one in which
you can use inheritance and multiple links.

Guidelines for Planning GPOs

Apply GPO settings at the highest level: This way, you take advantage of Group Policy
inheritance. Determine what common GPO settings for the largest container are starting with the
domain and then link the GPO to this container.
Reduce the number of GPOs: You reduce the number by using multiple links instead of creating
multiple identical GPOs. Try to link a GPO to the broadest container possible level to avoid
creating multiple links of the same GPO at a deeper level.
Create specialized GPOs: Use these GPOs to apply unique settings when necessary. GPOs at a
higher level will not apply the settings in these specialized GPOs.
Disable computer or use configuration settings: When you create a GPO to contain settings for
only one of the two levels-user and computer-disable the logon and prevents accidental GPO
settings from being applied to the other area.

Local, Site, Domain, OU

Group Policy settings are processed in the following order:

1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored
locally. This processes for both computer and user Group Policy processing.

2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed
next. Processing is in the order that is specified by the administrator, on the Linked Group Policy
Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the
lowest link order is processed last, and therefore has the highest precedence.

3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the

administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with
the lowest link order is processed last, and therefore has the highest precedence.

4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the
Active Directory hierarchy are processed first, then GPOs that are linked to its child
organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that
contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no
GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in
the order that is specified by the administrator, on the Linked Group Policy Objects tab for the
organizational unit in GPMC. The GPO with the lowest link order is processed last, and
therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the
organizational unit of which the computer or user is a direct member are processed last, which
overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the
earlier and later settings are merely aggregated.)

30.What can you do to prevent inheritance from above?

31.How can you override blocking of inheritance?

32.Name some of the major changes in GPO in Windows Server 2008.
The following changes are available in Windows Server® 2008 R2 and in Windows® 7 with Remote Server
Administration Tools (RSAT):

 Windows PowerShell Cmdlets for Group Policy: Ability to manage Group Policy from the Windows
PowerShell™ command line and to run PowerShell scripts during logon and startup

 Group Policy Preferences: Additional types of preference items

 Starter Group Policy Objects: Improvements to Starter GPOs

 Administrative Template Functionality : Improved user interface

 Administrative Template Settings: New and changed policy settings

33.What are ADM files? What replaced them in Windows Server 2008?

in Windows Server 2003, then you know that group policies are stored in the .ADM file
format. In Windows Vista and Longhorn Server, this file format has been replaced by
.ADMX file format. The .ADMX file format it is based on XML, whereas .ADM files
used their own proprietary file format.

There are several major differences between the way that .ADMX files and .ADM files
are implemented. One major difference is that while .ADM files were all encompassing,
there are actually two different files used by their .ADMX counterparts. ADMX files are
divided into language neutral files and language specific files. This allows .ADMX files
to be used in a variety of different languages. The language neutral file contains the
actual policy components. The language specific file simply provides the text associated
with the policy in various localizations. For example, you could have English, French,
and Japanese language specific files that all apply to the same language neutral file.

The location in which these files are stored has also changed. In Windows Server 2003,
ADM files were stored in the %systemroot%\inf folder. In Windows Vista and in
Longhorn Server, the language neutral .ADMX files are stored in the %systemroot
%\policyDefinitions folder. The language specific files are stored in a subfolder whose
name reflects the files' localization. For example, language specific files for the English-
language are stored in the %systemroot%\policyDefinition\en-us folder.
34.What's the GPO repository?

35.How do you use it?

36.What are GPO Preferences?
37.Which client OSs can use GPO Preferences?
38.What are GPO
39.Templates?
40.What are WMI Filters?
41.What is the concept behind GPO Filtering?
42.How can you determine what GPO was and was not applied for a user?
Name a few ways todo that.

1. Group Policy Management Console (GPMC) can provide assistance when you need to
troubleshoot GPO behaviour. It allows you to examine the settings of a specific GPO, and is can
also be used to determine how your GPOs are linked to sites, domains, and OUs. The Group
Policy Results report collects information on a computer and user, to list the policy settings
which are enabled. To create a Group Policy Results report, right-click Group Policy Results, and
select Group Policy Results Wizard on the shortcut menu. This launches the Group Policy Results
Wizard, which guides you through various pages to set parameters for the information that
should be displayed in the Group Policy Results report.
2. Gpresult.exe Click Start > RUN > CMD > gpresult, this will also give you information of applied
group policies.

43.A user claims he did not receive a GPO, yet his user and computer
accounts are in the rightOU, and everyone else there gets the GPO.
What will you look for?

Here interviewer want to know the troubleshooting steps

what gpo is applying ?
if it applying in all user and computer?
what gpo are implemented on ou?
make sure user not be member of loopback policy as in loopback policy it doesn't effect user
settings only computer policy will applicable.
if he is member of gpo filter grp or not?
You may also want to check the computers event logs. If you find event ID 1085 then you may
want to download the patch to fix this and reboot the computer.
===============================================
Answer 2: Start Troubleshooting by running RSOP.MSC (Resultant Set of Policy) or gpresult /z to
verify whether relevant GPO actually apply to that user?.

This also can be a reason of slow network, you can change the default setting by using the Group
Policy MMC snap-in. This feature is enabled by default, but you can disable it by using the
following policy: Administrative Templates\System\Logon\Always wait for the network at
computer startup and logon.

Identify which GPOs they correspond to, verify that they are applicable to the computer/user
(based on the output of RSOP.MSC/gpresult)

44.You want to standardize the desktop environments (wallpaper, My

Documents, Start menu,printers etc.) on the computers in one
department.
45.How would you do that?
46.What are the major changes in AD in Windows Server 2008?
The following changes are available in Windows Server 2008 R2:

 Active Directory Recycle Bin

Information technology (IT) professionals can use Active Directory Recycle Bin to undo an accidental
deletion of an Active Directory object. Accidental object deletion causes business downtime. Deleted users
cannot log on or access corporate resources. This is the number one cause of Active Directory recovery
scenarios. Active Directory Recycle Bin works for both AD DS and Active Directory Lightweight Directory
Services (AD LDS) objects. This feature is enabled in AD DS at the Windows Server 2008 R2 forest
functional level. For AD LDS, all replicas must be running in a new "application mode." For more
information, see What's New in AD DS: Active Directory Recycle Bin.

 Active Directory module for Windows PowerShell and Windows PowerShell™ cmdlets

The Active Directory module for Windows PowerShell provides command-line scripting for administrative,
configuration, and diagnostic tasks, with a consistent vocabulary and syntax. It provides predictable
discovery and flexible output formatting. You can easily pipe cmdlets to build complex operations. The
Active Directory module enables end-to-end manageability with Exchange Server, Group Policy, and other
services. For more information, see What's New in AD DS: Active Directory Module for Windows
PowerShell.

 Active Directory Administrative Center

The Active Directory Administrative Center has a task-oriented administration model, with support for
larger datasets. The Active Directory Administrative Center can help increase the productivity of IT
professionals by providing a scalable, task-oriented user experience for managing AD DS. In the past, the
lack of a task-oriented user interface (UI) could make certain activities, such as resetting user passwords,
more difficult than they had to be. The Active Directory Administrative Center enumerates and organizes
the activities that you perform when you manage a system. These activities may be maintenance tasks,
such as backup; event-driven tasks, such as adding a user; or diagnostic tasks that you perform to correct
system failures. For more information, see What's New in AD DS: Active Directory Administrative Center.

 Active Directory Best Practices Analyzer

The Active Directory Best Practices Analyzer (BPA) identifies deviations from best practices to help IT
professionals better manage their Active Directory deployments. BPA uses Windows PowerShell cmdlets to
gather run-time data. It analyzes Active Directory settings that can cause unexpected behavior. It then
makes Active Directory configuration recommendations in the context of your deployment. The Active
Directory BPA is available in Server Manager. For more information, see What's New in AD DS: Active
Directory Best Practices Analyzer.

 Active Directory Web Services

Active Directory Web Services (ADWS) provides a Web service interface to Active Directory domains and
AD LDS instances, including snapshots, that are running on the same Windows Server 2008 R2 server as
ADWS. For more information, see What's New in AD DS: Active Directory Web Services.

 Authentication mechanism assurance

Authentication mechanism assurance makes it possible for applications to control resource access based
on authentication strength and method. Administrators can map various properties, including
authentication type and authentication strength, to an identity. Based on information that is obtained
during authentication, these identities are added to Kerberos tickets for use by applications. This feature is
enabled at the Windows Server 2008 R2domain functional level. For more information, see What's New in
AD DS: Authentication Mechanism Assurance.

 Offline domain join

Offline domain join makes provisioning of computers easier in a datacenter. It provides the ability to
preprovision computer accounts in the domain to prepare operating system images for mass deployment.
Computers are joined to the domain when they first start. This reduces the steps and time necessary to
deploy computers in a datacenter. For more information, see What's New in AD DS: Offline Domain Join.

 Managed Service Accounts

Managed Service Accounts provide simple management of service accounts. At the Windows Server 2008
R2 domain functional level, this feature provides better management of service principal names (SPNs).
Managed Service Accounts help lower total cost of ownership (TCO) by reducing service outages (for
manual password resets and related issues). You can run one Managed Service Account for each service
that is running on a server, without any human intervention for password management. For more
information, see the Service Accounts Step-by-Step Guide (http://go.microsoft.com/fwlink/?
LinkId=134695).

 Active Directory Management Pack

The Active Directory Management Pack enables proactive monitoring of availability and performance of AD
DS. It discovers and detects computer and software states, and it is aligned with the health state
definitions. The Active Directory Management Pack works with Windows Server 2008 and Windows Server
2008 R2 and Microsoft® Systems Center Operations Manager 2007.

 Bridgehead Server Selection

The bridgehead server selection process enables domain controllers to load balance incoming connections.
The new logic for bridgehead server selection allows for even distribution of workload among bridgehead
servers. For more information see, Bridgehead Server Selection (http://go.microsoft.com/fwlink/?
LinkId=208721).

47.What are the major changes in AD in Windows Server 2008 R2?

48.What is the AD Recycle Bin?

Starting in Windows Server 2008 R2, Active Directory now implements a true recycle bin. No longer will you
need an authoritative restore to recover deleted users, groups, OU’s, or other objects. Instead, it is now
possible to use PowerShell commands to bring back objects with all their attributes, backlinks, group
memberships, and metadata. AD Recycle Bin (ADRB) was a long time coming and it definitely has its
idiosyncrasies

49.How do you use it?

50.What is tombstone lifetime attribute?

51. The number of days before a deleted object is removed from the directory services. This
assists in removing objects from replicated servers and preventing restores from
reintroducing a deleted object. This value is in the Directory Service object in the
configuration NIC
by default 2000 (60 days)
2003 (180 days)
52. What are AD Snapshots?

This feature is currently known as the “Database Mounting Tool” (DMT), which is better than the previous name of
“Data Mining Tool”. Who knows what we’ll end up calling this at RTM, but I like the previous name “Snapshot Viewer”
the best so this is what I entitled the post.

DMT allows you to quickly take snapshots of your AD database at any point in time and view those snapshots using
the LDP viewer of your choice. At first I was extremely excited about this feature, but after realizing the command-line
action you have to go through in order to do this (see below), it killed my buzz a little bit. If you compare this to
automating ldifde/csvde backups of your AD, I can see these advantages to snapshots:

 You can mount a snapshot and attach GUI LDP tools to it. Ldifde/csvde method doesn’t do this.
 You can “backup” the entire database in one shot. Ldifde/csvde only allows a single DN or partition per shot.
 The ldifde/csvde dump of your entire partition is in clear text and snapshots are not. However, from a
security standpoint there’s not much difference considering if someone has the snapshot file they can also
open it up but not as easily.

53.How do you use them?

54.What is Offline Domain Join?

55.How do you use it?

56.What are Fine-Grained Passwords?
You can use fine-grained password policies to specify multiple password policies within a single domain.
You can use fine-grained password policies to apply different restrictions for password and account lockout
policies to different sets of users in a domain.
For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts
of other users. In other cases, you might want to apply a special password policy for accounts whose
passwords are synchronized with other data sources

57.How do you use them?

58.Talk about Restartable Active Directory Domain Services in Windows

Server 2008/R2. Whatis this feature good for?
Restartable AD DS is a feature in Windows Server 2008 that you can use to perform routine maintenance
tasks on a domain controller, such as applying updates or performing offline defragmentation, without
restarting the server.
While AD DS is running, a domain controller running Windows Server 2008 behaves the same way as a
domain controller running Microsoft® Windows® 2000 Server or Windows Server 2003.
While AD DS is stopped, you can continue to log on to the domain by using a domain account if other
domain controllers are available to service the logon request. You can also log on to the domain with a
domain account while the domain controller is started in Directory Services Restore Mode (DSRM) if other
domain controllers are available to service the logon request.
If no other domain controller is available, you can log on to the domain controller where AD DS is stopped
in Directory Services Restore Mode (DSRM) only by using the DSRM Administrator account and password
by default, as in Windows 2000 Server Active Directory or Windows Server 2003 Active Directory.
You can change the default by modifying the DsrmAdminLogonBehavior registry entry. By modifying
the value for that registry entry, you can log on using the DSRM Administrator account in normal startup
mode to a domain controller that has AD DS stopped even if no other domain controller is available. You
do not need to start the domain controller in DSRM. This can help prevent you from getting inadvertently
locked out of a domain controller to which you have logged on locally and stopped the AD DS service. For
more information, see Modifying the default logon behavior.
You cannot run the dcpromo command normally to remove AD DS from a domain controller while AD DS
is stopped. However, you can run dcpromo /forceremoval to forcefully remove AD DS from a domain
controller while AD DS is stopped. For more information about how to forcefully remove AD DS, see the
Step-by-Step Guide for Windows Server 2008 Active Directory Domain Services Installation and Removal

59.What are the changes in auditing in Windows Server 2008/R2?

60.How can you forcibly remove AD from a server, and what do you do
later?
61.Can I get user passwords from the AD database?
The passwords in AD are not stored encrypted by default, so they cannot be decrypted. They are
hashed. The only way to recover the data from a hash is with some sort of a hacking algorithm
that attempts to crack the hash (such tools exist).

62.What tool would I use to try to grab security related packets from the
wire?
you must use sniffer-detecting tools to help stop the snoops. ...
A good packet sniffer would be "ethereal
(wireshark, tcpdump)

63.Talk about PowerShell and AD.

64.How do you backup AD?
Backing up Active Directory is essential to maintain an Active Directory database. You can back up
Active Directory by using the Graphical User Interface (GUI) and command-line tools that the
Windows Server 2003 family provides.

You frequently backup the system state data on domain controllers so that you can restore the
most current data. By establishing a regular backup schedule, you have a better chance of
recovering data when necessary.

To ensure a good backup includes at least the system state data and contents of the system
disk, you must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any
backup older than 60 days is not a good backup. Plan to backup at least two domain
controllers in each domain, one of at least one backup to enable an authoritative restore of the
data when necessary.

System State Data

Several features in the windows server 2003 family make it easy to backup Active Directory.
You can backup Active Directory while the server is online and other network function can
continue to function.

System state data on a domain controller includes the following components:

Active Directory system state data does not contain Active Directory unless the server, on
which you are backing up the system state data, is a domain controller. Active Directory is
present only on domain controllers.
The SYSVOL shared folder: This shared folder contains Group policy templates and logon
scripts. The SYSVOL shared folder is present only on domain controllers.
The Registry: This database repository contains information about the computer's
configuration.
System startup files: Windows Server 2003 requires these files during its initial startup phase.
They include the boot and system files that are under windows file protection and used by
windows to load, configure, and run the operating system.
The COM+ Class Registration database: The Class registration is a database of information
about Component Services applications.
The Certificate Services database: This database contains certificates that a server running
Windows server 2003 uses to authenticate users. The Certificate Services database is present
only if the server is operating as a certificate server.
System state data contains most elements of a system's configuration, but it may not include
all of the information that you require recovering data from a system failure. Therefore, be
sure to backup all boot and system volumes, including the System State, when you back up
your server.
Restoring Active Directory
In Windows Server 2003 family, you can restore the Active Directory database if it becomes
corrupted or is destroyed because of hardware or software failures. You must restore the
Active Directory database when objects in Active Directory are changed or deleted.

Active Directory restore can be performed in several ways. Replication synchronizes the
latest changes from every other replication partner. Once the replication is finished each
partner has an updated version of Active Directory. There is another way to get these latest
updates by Backup utility to restore replicated data from a backup copy. For this restore you
don't need to configure again your domain controller or no need to install the operating
system from scratch.

Active Directory Restore Methods

You can use one of the three methods to restore Active Directory from backup media:
primary restore, normal (non authoritative) restore, and authoritative restore.

Primary restore: This method rebuilds the first domain controller in a domain when there is
no other way to rebuild the domain. Perform a primary restore only when all the domain
controllers in the domain are lost, and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on local computer, or user
should have been delegated with this responsibility to perform restore. On a domain
controller only Domain Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the state before the
backup, and then updates the data through the normal replication process. Perform a normal
restore for a single domain controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a normal restore. An
authoritative restore marks specific data as current and prevents the replication from
overwriting that data. The authoritative data is then replicated through the domain.
Perform an authoritative restore individual object in a domain that has multiple domain
controllers. When you perform an authoritative restore, you lose all changes to the restore
object that occurred after the backup. Ntdsutil is a command line utility to perform an
authoritative restore along with windows server 2003 system utilities. The Ntdsutil
command-line tool is an executable file that you use to mark Active Directory objects as
authoritative so that they receive a higher version recently changed data on other domain
controllers does not overwrite system state data during replication.

65.How do you restore AD?

66.Talk about Windows Backup and AD backups.

67.How do you change the DS Restore admin password?
1. Click, Start, click Run, type ntdsutil, and then click OK.
2. At the Ntdsutil command prompt, type set dsrm password.
3. At the DSRM command prompt, type one of the following lines:
o To reset the password on the server on which you are working, type reset password on
server null. The null variable assumes that the DSRM password is being reset on the
local computer. Type the new password when you are prompted. Note that no
characters appear while you type the password.

-or-
o To reset the password for another server, type reset password on server servername,
where servername is the DNS name for the server on which you are resetting the DSRM
password. Type the new password when you are prompted. Note that no characters
appear while you type the password.
4. At the DSRM command prompt, type q.
5. At the Ntdsutil command prompt, type q to exit.

68.Why can't you restore a DC that was backed up 7 months ago?

Because of the tombstone life which is set to only 60 days

69.What's NTDSUTIL? When do you use it?

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory
Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can
use the ntdsutil commands to perform database maintenance of AD DS, manage and control
single master operations, and remove metadata left behind by domain controllers that were
removed from the network without being properly uninstalled. This tool is intended for use by
experienced administrators

70.What are RODCs?

When physical security is lacking, it becomes essential to increase the focus on data security. Windows Server
2008 and R2 provide some new ways to do so that seem uniquely tailored for environments like remote offices
where physical security may not be as tight. Read-only domain controllers (RODCs) are a new feature of the
Active Directory Domain Services (AD DS) in the Windows Server systems. They represent a fundamental
change to how you'd typically use domain controllers (DCs).
Because many of RODCs' new capabilities impact key aspects of the design and deployment process, it's
important to understand how you can leverage them in your enterprise. There are also critical design and
planning considerations you must take into account before introducing them into your environment. RODCs are
DCs that host complete, read-only copies of Active Directory database partitions, a read-only copy of SYSVOL,
and a Filtered Attribute Set (FAS) that restricts the inbound replication of certain application data from writable
DCs.
The most common environments for RODCs using AD DS are still branch offices. These types of environments are
typically end points in a hub-and-spoke network topology. They're widely distributed geographically, in large numbers,
and they individually host small user populations, connect to hub sites by slow, unreliable network links. Additionally,
they often lack local, experienced administrators.
For branch offices already hosting writable DCs, it's probably unnecessary to deploy RODCs. In this scenario,
however, RODCs may not only meet existing AD DS-related requirements, but also exceed them with regard to
tighter security, enhanced management, simplified architecture and lower total cost of ownership (TCO). For locations
where security or manageability requirements prohibit using DCs, RODCs can help you introduce DCs into the
environment and provide a number of beneficial, localized services.
Although the new features and benefits make evaluating RODCs compelling, there are additional factors to consider,
like application compatibility issues and service impact conditions. These could render RODC deployments
unacceptable for certain environments.
For example, because many directory-enabled applications and services read data from AD DS, they should continue
to function and work with an RODC. However, if certain applications require writable access at all times, an RODC
may not be acceptable. RODCs also depend on network connectivity to a writable DC for write operations. Although
failed write operations may be the cause of most well-known application-related issues, there are other issues to
consider, such as inefficient or failed read operations, failed write-read-back operations, and general application
failures associated with the RODC itself.
Besides application issues, fundamental user and computer operations can be affected when connectivity to a
writable DC is disrupted or lost. For example, basic authentication services may fail if account passwords are not both
cacheable and cached locally on the RODC. You can easily mitigate this issue by making accounts cacheable
through an RODC's Password Replication Policy (PRP), and then caching the passwords through pre-population.
Performing these steps also requires connectivity to a writable DC.
Along with other authentication issues, password expirations and account lockouts are significantly impacted when
connectivity to a writable DC is unavailable. Password change requests and any attempts to manually unlock a
locked account will continue to fail until connectivity to a writable DC is restored. Understanding these dependencies
and subsequent changes in operational behavior is critical to ensuring your requirements and any service level
agreements (SLAs).
There are several general scenarios in which you can deploy RODCs. They're useful in locations that don't have
existing DCs, or in locations that currently host DCs that will either be replaced or upgraded to a newer version of
Windows. Although there are comprehensive planning considerations specific to each scenario, we'll focus here on
non-specific approaches. They are, however, distinct to RODCs, rather than to traditional writable DCs.

71.What are the major benefits of using RODCs?

72.How do you install an RODC?
73.Talk about RODCs and passwords.
74.What is Read Only DNS?

DNS Server and DNS Server Roles Overview

Before DNS, HOSTS files were used to resolve host names to IP addresses. The HOSTS files
were manually maintained by administrators. The HOSTS file was located on a centrally
administered server on the Internet. Because of the shortcomings of the HOSTS files, DNS was
designed and introduced. From the days of Windows NT Server 4.0, DNS has been included
with the operating system. DNS is a hierarchically distributed and scalable database. DNS
provides name registration, name resolution and service location for Windows 2000 and
Windows Server 2003 clients.
A DNS zone is the contiguous portion of the DNS domain name space over which a DNS server
has authority, or is authoritative. A zone is a portion of a namespace – it is not a domain. A
domain is a branch of the DNS namespace. A DNS zone can contain one or more contiguous
domains. A DNS server can be authoritative for
multiple DNS zones.

A DNS server is a computer running the DNS

Server service, or BIND; that provides domain
name services. The DNS server manages the
DNS database that is located on it. The DNS
server program, whether it is the DNS Server
service or BIND; manages and maintains the
DNS database located on the DNS server. The
information in the DNS database of a DNS server
pertains to a portion of the DNS domain tree
structure or namespace. This information is used
to provide responses to client requests for name
resolution. When a DNS server is queried for
name resolution, it can respond to the request
directly by providing the requested information,
provide a pointer (referral) to another DNS server
that can assist in resolving the query, or respond
that the information is unavailable or that is does
not exist. A DNS server is authoritative for the
contiguous portion of the DNS namespace over
which it resides.

You can configure different server roles for your DNS servers. The server role that you configure
for a name server affects the following operations of the server:

 The way in which the DNS server stores DNS data

 The way in which the DNS server maintains data

 Whether the DNS data in the database file can be directly edited.

In DNS, a standard primary DNS server is the authoritative DNS server for a DNS zone. There
are a number of zones used in Windows Server 2003 DNS:

 Primary zone: This is only zone type that can be directly updated or edited because the
data in the zone is the original source of the data for all domains in the zone. Updates
made to the primary zone are made by the DNS server that is authoritative for the specific
primary zone.

 Secondary zone: This is a read-only copy of the zone that was copied from the master
server during zone transfer
 Active Directory-integrated zone: This is an authoritative primary zone that stores its data
in Active Directory. Active Directory-integrated zones can be regarded as enhanced
standard primary zones.

 Stub zone: Stub zones only contain those resource records necessary to identify the
authoritative DNS servers for the master zone

Standard secondary DNS servers are usually implemented to provide a number of features for
the DNS environment, including:

 Provide redundancy: It is recommended to install one primary DNS server, and one
secondary DNS server for each DNS zone (minimum requirement). Install the DNS
servers on different subnets so that if one DNS server fails, the other DNS server can
continue to resolve queries.

 Distribution of DNS processing load: Implementing secondary DNS servers assist in

reducing the load on the primary DNS server.

 Provide fast access for clients in remote locations: Secondary DNS servers can also
assist in preventing clients from transversing slow links for name resolution requests.

In addition to two server roles just mentioned, you can als configure the DNS server as a DNS
forwarder, or as a caching-only DNS server. The remainder of this Article focuses on the
different DNS server roles that you can configure for your DNS servers.

Understanding Standard Primary DNS Servers

A standard primary DNS server is a name server that obtains zone data from the local DNS
database. This makes the primary DNS server authoritative for the zone data that it contains.
When a change needs to be made to the resource records of the zone, it has to be done on the
primary DNS server so that is can be included in the local zone database.

A DNS primary server is created when a new primary zone is added. The primary server that is
created becomes the mechanism for updating the specific primary zone.

When a query is sent to the standard primary DNS server for name resolution, the following
events take place:

1. The request for name resolution is sent to the primary DNS server.

2. The primary DNS server compares the requested name to the information it contains in
its local zone database.

3. If the primary DNS server locates a match for the queried name, the requested
information is returned to the client.
4. If the DNS server cannot find a matching record in its local zone database file, the DNS
server then attempts a number of name resolution methods to resolve the request on
behalf of the client.

5. If all attempts for name resolution in unsuccessful, the DNS server returns an error
message to the client.

Understanding Standard Secondary DNS Servers

This DNS server type obtains a read-only copy of zone information through DNS zone transfers.
A secondary DNS server cannot make any changes to the information contained in its read-only
zone copy. A secondary DNS server can however resolve queries for name resolution.

Secondary DNS servers are usually implemented to provide fault tolerance, provide fast access
for clients in remote locations, and to distribute the DNS server processing load evenly. If a
secondary DNS server is implemented, that DNS server can continue to handle queries when the
primary DNS becomes unavailable. Secondary DNS servers also assist in reducing the
processing load of the primary DNS server. It is recommended to install at least one primary
DNS server, and one secondary DNS server for each DNS zone.

A secondary DNS server obtains its data from the primary DNS server's zone database, as a copy
of that database. During zone transfer, the primary DNS server's zone database is replicated to
the secondary DNS server. A secondary DNS server cannot make changes to its zone
information. All changes have to be made on the primary zone, and then have to be replicated to
the secondary DNS server through DNS zone transfer.

DNS Notify is a mechanism that enables a primary DNS server to inform secondary DNS servers
when its database has been updated. The mechanism informs the secondary DNS servers when
they need to initiate a zone transfer so that the updates of the primary DNS server can be
replicated to them. When a secondary DNS server receives the notification from the primary
DNS server, it can start an incremental zone transfer or a full zone transfer to pull zone changes
from the primary DNS server.

Understanding Caching-Only DNS Servers

The main characteristics of caching-only DNS servers are:

 Caching-only DNS servers do not host zones.

 They are not authoritative for any DNS domain.

 The information stored by caching-only DNS servers is the name resolution data that it
has collected through name resolution queries.
A caching-only DNS server just performs queries and then stores the results of these queries. All
information stored on the caching-only DNS server is therefore only that data which has been
cached while the server performed queries. Caching-only DNS servers only cache information
when the queries have been resolved.

when a caching-only DNS servers starts or the first time, it has no cached information. The
caching-only DNS server collects information as it sends and resolves queries. One of the main
advantages of implementing caching-only DNS servers is that they are excluded from the zone
transfer process, and therefore do not generate network traffic from zone transfers.

Understanding Master DNS Servers

The servers from which secondary DNS servers obtain zone information in the DNS hierarchy
are called master servers. When a secondary DNS server is configured, you have to specify the
master server from whom it will obtain zone information. Zone transfer enables a secondary
DNS server to obtain zone information from its configured primary DNS server, and enables
these servers to continue handling queries if the primary DNS server fails. In this case, the
primary DNS server is the master server of the secondary DNS server. A secondary DNS server
can also transfer its zone data to other secondary DNS servers, who are beneath it in the DNS
hierarchy. In this case, the secondary DNS server is regarded as the master server to the other
subordinate secondary DNS servers. A secondary DNS server initiates the zone transfer process
from its particular master server when it is brought online.

Understanding Dynamic DNS Servers

Windows 2000, Windows XP and Windows Server 2003 computers can dynamically update the
resource records of a DNS server when a client's IP addressing information is added, or renewed
via Dynamic Host Configuration Protocol (DHCP). Both DHCP and Dynamic DNS (DDNS)
updates make this possible. When dynamic DNS updates are enabled, a client sends a message to
the DNS server when changes are made to its IP addressing data. This indicates to the DNS
server that the A type resource record of the client needs to be updated.

How to implement a caching-only DNS server

1. Open Control Panel

2. Double-click Add/Remove Programs., and then click Add/Remove Windows

Components.

3. The Windows Components Wizard starts.

4. Click Networking Services, and then click Details.

5. In the Networking Services dialog box, select the checkbox for Domain Name System
(DNS) in the list.
6. Click OK. Click Next.

7. Click Finish.

8. Do not add or configure any zones for the DNS server. The DNS Server service functions
as a caching-only DNS server by default. This basically means no configuration is
necessary to set up a caching-only DNS server.

9. You should verify that the server root hints are configured correctly.

How to add a new zone to a DNS server

1. Click Start, Administrative Tools, and then click DNS to open the DNS console.

2. In the console tree, find and select the DNS server that you want to create a new DNS
zone.

3. From the Action menu, click the New Zone option.

4. On the initial page of the New Zone Wizard, click Next.

5. Select the zone type that you want to create. The options are:

o Primary, to create a new standard primary zone.

o Secondary, to create a copy of the primary zone.

o Stub, to create a copy of zone but for only the NS record, SOA record, and the
glue A record.

6. Select the default selected option – Primary zone.

7. To integrate the new zone with Active Directory, and if the DNS server is a domain
controller; then you can select the Store the zone in Active Directory (available only if
DNS server is a domain controller) checkbox.

8. Click Next.

9. On the Active Directory Zone Replication Scope page, accept the default setting for DNS
replication: To all domain controllers in the Active Directory domain. Click Next.

10. Select the Forward lookup zone option on the following page which is displayed by the
New Zone Wizard, and then click Next.

11. Enter a zone name for the new zone. Click Next.
The options that you can select on the following page with regar to dynamic updates are:
o Allow only secure dynamic updates (recommended for Active Directory) option:
This option is only available if you are using Active Directory-integrated zones.

o Allow both non-secure and secure dynamic updates option: Select this option with
caution!

o Do not allow dynamic updates option: You have to manually update zone
information and resource records.

12. Choose the best option for your circumstance, and then click Next.

13. Click Finish to add the new zone to your DNS server.

How to enable dynamic updating on your DNS servers

Active Directory- integrated zones are set up to only allow secure dynamic updates.

1. Click Start, Administrative Tools, and then click DNS to open the DNS console.

2. In the console tree, expand the DNS server node that contains the authoritative zone that
you want to work with.

3. Expand the Forward Lookup Zones folder.

4. Locate the specific zone that you want to configure.

5. Right-click the zone, and then select Properties on the shortcut menu.

6. When the Zone's Properties dialog box opens, leave the General tab displayed.

7. The options available in the Dynamic updates: list box are:

o None

o Non-secure and secure

o Secure only

8. Select the Secure only option, and then click OK.

How to disable dynamic updates for a host computer or

interface
You can also disable dynamic updates for a host computer, for a specific interface on that
computer, or for multiple interfaces on the computer.
1. Open the Registry Editor tool.

2. In the left pane, expand the HKEY_LOCAL_MACHINE key, expand System, expand
CurrentControlSet, and then expand Services.

3. Locate Tcpip, and then expand this node as well.

4. Find the Parameters node.

5. To disable dynamic updates for the host computer, click the Parameters node. In the
details pane, double-click the DisableDynamicUpdate entry. Change the value data of
DisableDynamicUpdate to 1 to disable dynamic updates. Click OK.

6. To disable dynamic updates for a single interface, expand the Parameters node, and then
expand the Interface node. Select the interface, and then double-click the
DisableDynamicUpdate entry in the details pane. Change the value data of
DisableDynamicUpdate to 1 to disable dynamic updates. Click OK.

How to test a query on a DNS server

1. Click Start, Administrative Tools, and then click DNS to open the DNS console.

2. In the console tree, right-click the DNS server that you want to test and then select
Properties on the shortcut menu.

3. When the DNS Server's Properties dialog box opens, click the Monitoring tab.

4. You can choose to perform a simple query test, a recursive query test, or you can specify
that the DNS server automatically performs testing at an interval that you set.

5. In the Select A Test Type area of the Monitoring tab, select the A Simple Query Against
This DNS Server checkbox.

6. Click the Test Now button.

7. The Test Results area of the tab displays the results of the test.

8. Click OK.

75.What happens when a remote site with an RODC loses connectivity to

the main site?
76.Talk about Server Core and AD.
Server Core is a new feature in the Windows Server world. It installs a command-line
administration-only version of Windows Server 2008 that helps reduce the attack surface of the
server. Traditionally, there are many attack options on a Microsoft server, and you, the
administrator, need to be aware of that and take action to ensure security. However, with
Server Core, less code is installed (that is, there is a smaller footprint), and with that reduction in
code comes a reduction in the number of places an attacker can hit. Fewer moving parts equals
fewer vulnerabilities.

The supported roles in Server Core include the following:

 Active Directory Domain Services (ADDS)

 Active Directory Lightweight Directory Services (AD LDS)
 DHCP Server
 DNS Server
 File Services
 Internet Information Services (IIS)
 Print Services
 Streaming Media Services
 Windows Virtualization (Hyper-V)

77.How do you promote a Server Core to DC?

78.What are the FSMO roles? Who has them by default? What happens
when each one fails?
79.How can you tell who holds each FSMO role? Name a 2-3 of methods.
80.What FSMO placement considerations do you know of?

81.You want to look at the RID allocation table for a DC. What do you
need to do?

1.install support tools from OS disk(OS Inst: Disk=>support=>tools=>suptools.msi)

2.In Command prompt type dcdiag /test:ridmanager /s:system1 /v (system1 is the name of our
DC)
82.What's the difference between transferring a FSMO role and seizing
one? Which one shouldyou NOT seize? Why?

Seizing an FSMO can be a destructive process and should only be attempted if the existing server with
the FSMO is no longer available.

If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable, DO NOT
seize the Schema Master role.

If you are going to seize the Schema Master, you must permanently disconnect the current Schema
Master from the network.

If you seize the Schema Master role, the boot drive on the original Schema Master must be completely
reformatted and the operating system must be cleanly installed, if you intend to return this computer to
the network.

NOTE: The Boot Partition contains the system files (\System32). The System Partition is the partition that
contains the startup files, NTDetect.com, NTLDR, Boot.ini, and possibly Ntbootdd.sys.

The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain
controller in the forest root domain. The first domain controller in each new child or tree domain is
assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are
reassigned by using one of the following methods:

 An administrator reassigns the role by using a GUI administrative tool.

 An administrator reassigns the role by using the ntdsutil /roles command.
 An administrator gracefully demotes a role-holding domain controller by using the Active
Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain
controller in the forest. Demotions that are performed by using the dcpromo /forceremoval
command leave FSMO roles in an invalid state until they are reassigned by an administrator.

We recommend that you transfer FSMO roles in the following scenarios:

 The current role holder is operational and can be accessed on the network by the new FSMO
owner.
 You are gracefully demoting a domain controller that currently owns FSMO roles that you want
to assign to a specific domain controller in your Active Directory forest.
 The domain controller that currently owns FSMO roles is being taken offline for scheduled
maintenance and you need specific FSMO roles to be assigned to a "live" domain controller. This
may be required to perform operations that connect to the FSMO owner. This would be
especially true for the PDC Emulator role but less true for the RID master role, the Domain
naming master role and the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:

 The current role holder is experiencing an operational error that prevents an FSMO-dependent
operation from completing successfully and that role cannot be transferred.
 A domain controller that owns an FSMO role is force-demoted by using the dcpromo
/forceremoval command.
 The operating system on the computer that originally owned a specific role no longer exists or
has been reinstalled.

As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of
changes that are made by FSMO-holding domain controllers. If you must transfer a role, the best
candidate domain controller is one that is in the appropriate domain that last inbound-replicated, or
recently inbound-replicated a writable copy of the "FSMO partition" from the existing role holder. For
example, the Schema master role-holder has a distinguished name path of
CN=schema,CN=configuration,dc=<forest root domain>, and this mean that roles reside in and are
replicated as part of the CN=schema partition. If the domain controller that holds the Schema master
role experiences a hardware or software failure, a good candidate role-holder would be a domain
controller in the root domain and in the same Active Directory site as the current owner. Domain
controllers in the same Active Directory site perform inbound replication every 5 minutes or 15 seconds.

The partition for each FSMO role is in the following list:

Collapse this tableExpand this table FSMO role Partition Schema

CN=Schema,CN=configuration,DC=<forest root domain> Domain Naming Master
CN=configuration,DC=<forest root domain> PDC DC=<domain> RID DC=<domain> Infrastructure
DC=<domain>

A domain controller whose FSMO roles have been seized should not be permitted to communicate with
existing domain controllers in the forest. In this scenario, you should either format the hard disk and
reinstall the operating system on such domain controllers or forcibly demote such domain controllers on
a private network and then remove their metadata on a surviving domain controller in the forest by
using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder
whose role has been seized into the forest is that the original role holder may continue to operate as
before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers
owning the same FSMO roles include creating security principals that have overlapping RID pools, and
other problems.
Back to the top

Transfer FSMO roles

To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:

1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or

domain controller that is located in the forest where FSMO roles are being transferred. We
recommend that you log on to the domain controller that you are assigning FSMO roles to. The
logged-on user should be a member of the Enterprise Administrators group to transfer Schema
master or Domain naming master roles, or a member of the Domain Administrators group of the
domain where the PDC emulator, RID master and the Infrastructure master roles are being
transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.

Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?,
and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of
the domain controller you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you
can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of
roles at the start of this article. For example, to transfer the RID master role, type transfer rid
master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not
transfer pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil
prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

Back to the top

Seize FSMO roles

To seize the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or
domain controller that is located in the forest where FSMO roles are being seized. We
recommend that you log on to the domain controller that you are assigning FSMO roles to. The
logged-on user should be a member of the Enterprise Administrators group to transfer schema
or domain naming master roles, or a member of the Domain Administrators group of the
domain where the PDC emulator, RID master and the Infrastructure master roles are being
transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of
the domain controller that you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type seize role, where role is the role that you want to seize. For a list of roles that you can
seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at
the start of this article. For example, to seize the RID master role, type seize rid master. The one
exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil
prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

Notes
o Under typical conditions, all five roles must be assigned to "live" domain controllers in
the forest. If a domain controller that owns a FSMO role is taken out of service before its
roles are transferred, you must seize all roles to an appropriate and healthy domain
controller. We recommend that you only seize all roles when the other domain
controller is not returning to the domain. If it is possible, fix the broken domain
controller that is assigned the FSMO roles. You should determine which roles are to be
on which remaining domain controllers so that all five roles are assigned to a single
domain controller. For more information about FSMO role placement, click the
following article number to view the article in the Microsoft Knowledge Base: 223346
(http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization on
Windows 2000 domain controllers
o If the domain controller that formerly held any FSMO role is not present in the domain
and if it has had its roles seized by using the steps in this article, remove it from the
Active Directory by following the procedure that is outlined in the following Microsoft
Knowledge Base article: 216498 (http://support.microsoft.com/kb/216498/ ) How to
remove data in active directory after an unsuccessful domain controller demotion
o Removing domain controller metadata with the Windows 2000 version or the Windows
Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not
relocate FSMO roles that are assigned to live domain controllers. The Windows Server
2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes
additional elements of domain controller metadata.
o Some customers prefer not to restore system state backups of FSMO role-holders in
case the role has been reassigned since the backup was made.
o Do not put the Infrastructure master role on the same domain controller as the global
catalog server. If the Infrastructure master runs on a global catalog server it stops
updating object information because it does not contain any references to objects that
it does not hold. This is because a global catalog server holds a partial replica of every
object in the forest.

To test whether a domain controller is also a global catalog server:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites
and Services.
2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-
name if no other sites are available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller's folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, view the Global Catalog check box to see if it is selected.

1. What is Active Directory?

Active Directory is Microsoft implementation of LDAP being used in Windows Server

platform post NT and built around DNS. It is a distributed and hierarchical directory
service which stores information about the resources on the network and provide the
means for managing and controlling those resources and authorizing and
authenticating access to those resources.

2. What is LDAP?

LDAP stands for Light Weight Directory Access Protocol which provide simple read and
write access to the directory over Transport protocol such as TCP, similar to but
lighter than X.500. Just like RDBMS LDAP has adopted Client- Server Models and the
directory is top-bottom hierarchical structure. Microsoft Active Directory and Novell
Network Directory is best example of LDAP implementation. LDAP listen to port 389.
3. Where is the AD database held? What other folders are related to AD?

Active Directory physical database file is ntds.dit in %systemroot%\ntds (ntds – NT

Directory Service and dit – Directory Information Tree) which resides in all the domain
controller. The Active Directory make use of the database engine called Extensible
Storage Engine also referred as Microsoft Jet DB. ESE is the actually the database for
Active Directory. ESE records the transaction in Log file called Edb.log and back to
Ntdis.dit, and provide the consistency to the database. It resides in the file called
ESent.dll. Other files related to active directory are: edbxxx.log – Auxiliary file come
into use if edb.log is full. Edb.chk – This is the checkpoint file which is used by
transaction logging system to point at which the updates are being transferred to
ntds.dit. Res1.log /Res2.log – the log file used when space is full and edbxxx.log can
no longer be used. Temp.edb – it is just like scratch pad which store information of
current transaction in process. Schema.ini – file used to initialize ntds.dit

4. What is the SYSVOL folder?

%systemroot%\SYSVOL is the folder which resides in every domain controllers to store

the elements of Group policies object defined in Active Directory and scripts, such as
logon scripts. Change made in SYSVOL in one domain controller is replicated to the
entire domain controller by File replication service (FRS)

5. What are DSA and Directory Information Tree?

In LDAP, like X.500, the servers that host the copies of the information base are
called Directory Service Agent. DSA can host full or the partial information base. The
portion of the information base which forms a hierarchy is called DIT. The very top of
the hierarchy has the single object which is not the part of LDAP specification rather
it is defined by DNS name space.

6. What is the Naming context in Active Directory? (source: technet)

The Directory Information Base can be separated into parts called naming contexts, or
NCs. In Active Directory, each domain represents a separate naming context. Domain
controllers in the same domain have a read/write replica of that Domain naming
context. Configuration and Schema objects are stored in their own naming contexts,
as are DNS Record objects when using Active Directory Integrated DNS zones.

When a client submits a query for information about a particular object, the system
must determine which DSA hosts the naming context that contains the particular
object. It does this using the object’s distinguished name and knowledge about the
directory topology.

If a DSA cannot respond to a query using information in the naming contexts it hosts,
it sends the client a referral to a DSA hosting the next higher or lower naming context
in the tree (depending on the distinguished name of the object in the search). The
client then submits the request to a DSA hosting the naming context in the referral.
This DSA either responds with the information being requested or a referral to
another DSA. This is called walking the tree.

DSA that host the copies of the same naming context must replicate changes to each
other. It’s important to keep this in mind as you work with Active Directory servers. If
you have separate domains, then clients in one domain must walk the tree to get
access to Active Directory objects in another domain. If the domain controllers for the
domains are in different locations in the WAN, this can slow performance. Many of the
architectural decisions you’ll make as you design your system focus on the location,
accessibility, and reliability of naming contexts

7. What is the Global Catalog?

Global catalog is the central repository which stores the partial replica of every
object’s information in the directory but with only few attributes which is know is
Partial Attribute Sets (PAS). The information stored in Global Catalog is read-only.
However GC server stores full writable copies of the schema and configuration
directory partitions- the same as any domain controller. By default the first DC in the
First Domain in the First Tree in AD forest is configured as GC. Another DC can be set
as global catalog server from Active Directory Sites and Services snap-in. When client
request the searches to GC server the queries are directed to port 3268 which
indicates that Global Catalog semantics is required.

8. How do you view all the GCs in the forest?

AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN% - easiest way.

9. Why not make all DCs in a large forest as GCs?

With too many DCs are configured to become the GC servers, it will cause the
replication overhead between the DCs across the forest.

10. Trying to look at the Schema, how can I do that?

From active directory schema snap-in.

11. What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is
REPADMIN?

AD Tools. Replmon – replication monitor and troubleshooting, adsiedit – editing object

in the active directory, netdom – to manage domain and trust relationship, repadmin-
to diagnose replication issue between domain controllers.

12. What are sites? What are they used for?

Sites in Active Directory are the physical network structure of Active Directory based
on subnet or subnets. Each site in Active Directory resembles well connected network.
It is sometimes referred as physical structure of AD. Depending upon the locations and
connection quality sites are created which include a domain or domains. Creating
these sites lets you control replication traffic over WAN links. In a way Sites help
define the AD’s replication topology.

13. What is Site Link?

Site link allow the connections between two or more sites define. Site link is
configured under two different protocols IP and SMTP. The most commonly used
default protocol IP under reliable connections. SMTP is often used under poor network
connections.

14. What is Cost in Site Link?

Cost is a metric between 1 – 32,767 -is just a number to compare relative cost of the
other links in the sites. That means lower the cost favorable the path is. The default
cost for the site link is hundred and if there is only one site link there is no need to
worry about the cost.

15. What’s the difference between a site link’s schedule and interval?

Schedule enables you to list weekdays or hours when the site link is available for
replication to happen in the give interval. Interval is the reoccurrence of the inter
site replication in given minutes. It range from 15 – 10,080 mins. The default interval
is 180 mins.

16. What is the KCC?

KCC is Knowledge Consistency Checker, which creates the connection object that
links the DCs into common replication topology and dictates the replication routes
between one DC to another in Active Directory forest. The default run interval is 15
mins. There are two type of algorithm of KCC - Intrasite KCC – which is responsible for
the connection within the site, and Intersite Topology Generator (ISTG) – which is
responsible for the connections among the sites.

17. What is the ISTG? Who has that role by default?

Intersite Topology Generator (ISTG), which is responsible for the connections among
the sites. By default Windows 2003 Forest level functionality has this role.

18. What is linked value replication?

This is one of the significant changes made AD 2003. In Windows 2000 the slight
change made within multi value attributes, every single value is replicated causing
clog in network bandwidth. However in AD 2003, when changes are made in single
value under multi value attributes only single entity get replicated. For example, if
the new user is created under the security group containing 1000 of users, instead of
replicating all 1000 users as in Win2K, Linked Value Replication allow replicating the
newly created use only.
19. What is cached credential?

In the event when the client machines are not able to contact their Global Catalog
server in there domain during logon process, locally cached credentials from the
previous successful logon will be used to authenticate each unique user to the local
machine. This is also know is Domain cached credentials and is processed by Local
Security Authority (LSA). By default number of cached logon information is 10 and it
can be set from 0 to 50 in registry.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\
CachedLogonsCounts.

19. What are the requirements for installing AD on a new server?

Appropriately configured TCP/IP and DNS.

21. What can you do to promote a server to DC if you’re in a remote location with
slow WAN link?

22. How can you forcibly remove AD from a server, and what do you do later?

DCPromo /Forceremoval. Though this command will seize the Domain Controller role,
we have to use NTDSUTIL to cleanup the metadata.

23. What is tombstone lifetime attribute?

This is the number of days before the object marked for deletion in the Active
Directory is permanently deleted. The default is 180 days in Windows 2003 with SP1
and 60 days in Windows 2000 and Windows 2003 without SP1. During Tombstone
lifetime the object mark for deletion stays in Deleted Object folder and every 15 mins
Garbage collector comes along to check if the tombstone lifetime of expired for any
objects. If found the object/objects will be permanently deleted.

The Tombstone Lifetime can be changed by using the ADSIEdit tool. Right click on the
CN=Directory Service folder and select Properties. Find Tombstone Lifetime in the
attribute list, click the Edit button and enter the number of days in the value field. Or
you can use dsquery as: dsquery * "CN=DirectoryService, CN=WindowsNT,CN=Services,
CN=Configu ration, DC=yourdomain, DC=com" -scope base -attr tombstonelifetime
DHCP Server Interview Questions and
Answers
1. What is DHCP?
DHCP stands for "Dynamic Host Configuration Protocol".
2.What is DHCP's purpose?
DHCP's purpose is to enable individual computers on an IP network to extract
their configurations from a server (the 'DHCP server') or servers, in particular,
servers that have no exact information about the individual computers until
they
request the information. The overall purpose of this is to reduce the work
necessary to administer a large IP network. The most significant piece of
information distributed in this manner is the IP address.
3. Can DHCP work with AppleTalk or IPX?
No, it is too tied to IP. Furthermore, they don't need it since they have always
had automated mechanisms for assigning their own network addresses.
4. Who Created It? How Was It Created?
DHCP was created by the Dynamic Host Configuration Working Group of the
Internet Engineering Task Force (IETF; a volunteer organization which defines
protocols for use on the Internet). As such, it's definition is recorded in an
Internet RFC and the Internet Activities Board (IAB) is asserting its status as
to
Internet Standardization. As of this writing (June 1998), DHCP is an Internet
Draft Standard Protocol and is Elective. BOOTP is an Internet Draft Standard

Protocol and is recommended. For more information on Internet

standardization,
see RFC2300 (May 1998)
5. How is it different than BOOTP or RARP?
DHCP is based onBOOTP and maintains some backward compatibility. The
main
difference is that BOOTP was designed for manual pre-configuration of the
host
information in a server database, while DHCP allows for dynamic allocation of
network addresses and configurations to newly attached hosts. Additionally,
DHCP allows for recovery and reallocation of network addresses through a
leasing mechanism.
RARP is a protocol used by Sun and other vendors that allows a computer to
find
out its own IP number, which is one of the protocol parameters typically
passed
to the client system by DHCP or BOOTP. RARP doesn't support other
parameters
and using it, a server can only serve a single LAN. DHCP and BOOTP are
designed so they can be routed.
6.How is it different than VLANs?
DHCP and VLANs, which are very different in concept, are sometimes cited as
different solutions to the same problem. While they have a goal in common
(easing moves of networked computers), VLANs represent a more
revolutionary
change to a LAN than DHCP. A DHCP server and forwarding agents can allow
you
to set things up so that you can unplug a client computer from one network
or

subnet and plug it into another and have it come alive immediately, it having
been reconfigured automatically. In conjunction to Dynamic DNS, it could
automatically be given its same name in its new place. VLAN-capable LAN
equipment with dynamic VLAN assignment allows you to configure things so a
client computer can be plugged into any port and have the same IP number
(as
well as name) and be on the same subnet. The VLAN-capable network either
has
its own configuration that lists which MAC addresses are to belong to each
VLAN,
or it makes the determination from the source IP address of the IP packets
that
the client computer sends. Some differences in the two approaches:
•
DHCP handles changes by reconfiguring the client while a VLAN-
capable
network handles it by reconfiguring the network port the client is moved to.
•
DHCP dynamic reconfiguration requires a DHCP server, forwarding
agent
in each router, and DHCP capability in each client's TCP/IP support. The
analogous capability in VLANs requires that all hubs throughout the
network be VLAN-capable, supporting the same VLAN scheme. To this
point VLAN support is proprietary with no vendor interoperability, but
standards are being developed.
•
DHCP can configure a new client computer for you while a VLAN-
capable
network can't.
•
DHCP is generally aimed at giving "easy moves" capability to networks
that are divided into subnets on a geographical basis, or on separate

networks. VLANs are generally aimed at allowing you to set up subnets

on some basis other than geographical, e.g. instead of putting everyone
in one office on the same subnet, putting each person on a subnet that
has access to the servers that that person requires.
There is an issue with trying to use DHCP (or BOOTP) and VLANs at the same
time, in particular, with the scheme by which the VLAN-capable network
determines the client's VLAN based upon the client computer's source IP
address. Doing so assumes the client computer is already configured, which
precludes the use of network to get the configuration information from a
DHCP
or BOOTP server.
7. What protocol and port does DHCP use?
DHCP, like BOOTP runs over UDP, utilizing ports 67 and 68.
8. What is an IP address?
An IP address (also called an IP number) is a number (typically written as
four
numbers separated by periods, i.e. 107.4.1.3 or 84.2.1.111) which uniquely
identifies a computer that is making use of the Internet. It is analogous to
your
telephone number in that the telephone number is used by the telephone
network to direct calls to you. The IP address is used by the Internet to direct
data to your computer, e.g. the data your web browser retrieves and displays
when you surf the net. One task of DHCP is to assist in the problem of getting
a

functional and unique IP number into the hands of the computers that make
use
of the Internet.
9. What is a MAC address?
A MAC address (also called an Ethernet address or an IEEE MAC address) is a
number (typically written as twelve hexadecimal digits, 0 through 9 and A
through F, or as six hexadecimal numbers separated by periods or colons, i.e.
0080002012ef, 0:80:0:2:20:ef) which uniquely identifes a computer that has
an
Ethernet interface. Unlike the IP number, it includes no indication of where
your
computer is located. In DHCP's typical use, the server uses a requesting
computer's MAC address to uniquely identify it.
10. What is a DHCP lease?
A DHCP lease is the amount of time that the DHCP server grants to the DHCP
client permission to use a particular IP address. A typical server allows its
administrator to set the lease time.
11. What is a Client ID?
What is termed the Client ID for the purposes of the DHCP protocol is
whatever
is used by the protocol to identify the client computer. By default, DHCP
implementations typically employ the client's MAC address for this purpose,
but
the DHCP protocol allows other options. Some DHCP implementations have a

setup option to specify the client ID you want. One alternative to the MAC
address is simply a character string of your choice. In any case, in order for
DHCP to function, you must be certain that no other client is using the client
ID
you choose, and you must be sure the DHCP server will accept it.
12.Can DHCP support statically defined addresses?
Yes. At least there is nothing in the protocol to preclude this and one expects
it
to be a feature of any DHCP server. This is really a server matter and the
client
should work either way. The RFC refers to this as manual allocation.
13. How does DHCP and BOOTP handle multiple subnets?
For the situations where there is more than one LAN, each with its own
subnet
number, there are two ways. First of all, you can set up a seperate server on
each subnet. Secondly, a feature of some routers known as "BOOTP
forwarding"
to forward DHCP or BOOTP requests to a server on another subnet and to
forward the replies back to the client. The part of such a router (or server
acting
as a router) that does this is called a "BOOTP forwarding agent". Typically you
have to enable it on the interface to the subnet to be served and have to
configure it with the IP address of the DHCP or BOOTP server. On a Cisco
router,
the address is known as the "UDP Helper Address".
14. Can a BOOTP client boot from a DHCP server?
Only if the DHCP server is specifically written to also handle BOOTP queries.

15. Can a DHCP client boot from a BOOTP server?

Only if the DHCP client were specifically written to make use of the answer
from
a BOOTP server. It would presumably treat a BOOTP reply as an unending
lease
on the IP address.
In particular, the TCP/IP stack included with Windows 95 does not have this
capability.
16. Is a DHCP server "supposed to" be able to support a BOOTP
client?
The RFC on such interoperability (1534) is clear: "In summary, a DHCP
server:
... MAY support BOOTP clients," (section 2). The word "MAY" indicates such
support, however useful, is left as an option.
A source of confusion on this point is the following statement in section 1.5 of
RFC 1541: "DHCP must provide service to existing BOOTP clients." However,
this
statement is one in a list of "general design goals for DHCP", i.e. what the
designers of the DHCP protocol set as their own goals. It is not in a list of
requirements for DHCP servers.
17. Is a DHCP client "supposed to" be able to use a BOOTP server?
The RFC on such interoperability (1534) is clear: "A DHCP client MAY use a
reply
from a BOOTP server if the configuration returned from the BOOTP server is
acceptable to the DHCP client." (section 3). The word "MAY" indicates such

support, however useful, is left as an option.

18. Can a DHCP client or server make a DNS server update the client's
DNS entry to match the client's dynamically assigned address?
RFCs 2136 and 2137 indicate a way in which DNS entries can be updated
dynamically. Using this requires a DNS server that supports this feature and a
DHCP server that makes use of it. The RFCs are very recent (as of 5/97) and
implementations are few. In the mean time, there are DNS and DHCP servers
that accomplish this through proprietary means.
19. Can a DHCP server back up another DHCP server?
You can have two or more servers handing out leases for different addresses.
If
each has a dynamic pool accessible to the same clients, then even if one
server
is down, one of those clients can lease an address from the other server.
However, without communication between the two servers to share their
information on current leases, when one server is down, any client with a
lease
from it will not be able to renew their lease with the other server. Such
communication is the purpose of the "server to server protocol" (see next
question). It is possible that some server vendors have addressed this issue
with
their own proprietary server-to-server communication.
20. When will the server to server protocol be defined?
The DHC WG of the IETF is actively investigating the issues in inter-server

communication. The protocol should be defined "soon".

21.Where is DHCP defined?
In Internet RFCs.
22. Can DHCP support remote access?
PPP has its own non-DHCP way in which communications servers can hand
clients an IP address called IPCP (IP Control Protocol) but doesn't have the
same
flexibility as DHCP or BOOTP in handing out other parameters. Such a
communications server may support the use of DHCP to acquire the IP
addresses
it gives out. This is sometimes called doing DHCP by proxy for the client. I
know
that Windows NT's remote access support does this.
A feature of DHCP under development (DHCPinform) is a method by which a
DHCP server can supply parameters to a client that already has an IP
number.
With this, a PPP client could get its IP number using IPCP, then get the rest of
its
parameters using this feature of DHCP.
SLIP has no standard way in which a server can hand a client an IP address,
but
many communications servers support non-standard ways of doing this that
can
be utilized by scripts, etc. Thus, like communications servers supporting PPP,

such communications servers could also support the use of DHCP to acquire
the
IP addressees to give out.
The DHCP protocol is capable of allocating an IP address to a device without
an
IEEE-style MAC address, such as a computer attached through SLIP or PPP,
but
to do so, it makes use of a feature which may or may not be supported by the
DHCP server: the ability of the server to use something other than the MAC
address to identify the client. Communications servers that acquire IP
numbers
for their clients via DHCP run into the same roadblock in that they have just
one
MAC address, but need to acquire more than one IP address. One way such a
communications server can get around this problem is through the use of a
set
of unique pseudo-MAC addresses for the purposes of its communications with
the DHCP server. Another way (used by Shiva) is to use a different "client ID
type" for your hardware address. Client ID type 1 means you're using MAC
addresses. However, client ID type 0 means an ASCII string.
23.How can I relay DHCP if my router does not support it?
A server on a net(subnet) can relay DHCP or BOOTP for that net. Microsoft
has
software to make Windows NT do this.
24.What is DHCP Spoofing?

AscendPi pe l i ne ISDN routers (which attach Ethernets to ISDN lines)

incorporate
a feature that Ascend calls "DHCP spoofing" which is essentially a tiny server
implementation that hands an IP address to a connecting Windows 95
computer,
with the intention of giving it an IP number during its connection process.
25. How long should a lease be?
A very relevant factor is that the client starts trying to renew the lease when
it is
halfway through: thus, for example, with a 4 day lease, the client which has
lost
access to its DHCP server has 2 days from when it first tries to renew the
lease
until the lease expires and the client must stop using the network. During a 2-
day outage, new users cannot get new leases, but no lease will expire for any
computer turned on at the time that the outage commences.
Another factor is that the longer the lease the longer time it takes for client
configuration changes controlled by DHCP to propogate.
25. How can I control which clients get leases from my server?
There is no ideal answer: you have to give something up or do some extra
work.
•
You can put all your clients on a subnet of your own along with your
own
DHCP server.
•
You can use manual allocation.
•
Perhaps you can find DHCP server software that allows you to list
which
MAC addresses the server will accept. DHCP servers that support roaming

machines may be adapted to such use.

•
You can use the user class option assuming your clients and server
support it: it will require you to configure each of your clients with a user
class name. You still depend upon the other clients to respect your
wishes.
26. How can I prevent unauthorized laptops from using a network
that uses DHCP for dynamic addressing?
This would have to be done using a mechanism other than DHCP. DHCP does
not
prevent other clients from using the addresses it is set to hand out nor can it
distinguish between a computer's permanent MAC address and one set by the
computer's user. DHCP can impose no restrictions on what IP address can use
a
particular port nor control the IP address used by any client.
27. What features or restrictions can a DHCP server have?
While the DHCP server protocol is designed to support dynamic management
of
IP addresses, there is nothing to stop someone from implementing a server
that
uses the DHCP protocol, but does not provide that kind of support. In
particular,
the maintainer of a BOOTP server-implementation might find it helpful to
enhance their BOOTP server to allow DHCP clients that cannot speak "BOOTP"
to
retrieve statically defined addresses via DHCP. The following terminology has
become common to describe three kinds of IP address
allocation/management.

These are independent "features": a particular server can offer or not offer
any
of them:
•
Manual allocation: the server's administrator creates a configuration
for
the server that includes the MAC address and IP address of each DHCP
client that will be able to get an address: functionally equivalent to
BOOTP though the protocol is incompatible.
•
Automatic allocation: the server's administrator creates a configuration
for the server that includes only IP addresses, which it gives out to
clients. An IP address, once associated with a MAC address, is
permanently associated with it until the server's administrator intervenes.
•
Dynamic allocation: like automatic allocation except that the server
will
track leases and give IP addresses whose lease has expired to other
DHCP clients.
Other features which a DHCP server may or may not have:
•
Support for BOOTP clients.
•
Support for the broadcast bit.
•
Administrator-settable lease times.
•
Administrator-settable lease times on manually allocated addresses.
•
Ability to limit what MAC addresses will be served with dynamic
addresses.
•
Allows administrator to configure additional DHCP option-types.
•
Interaction with a DNS server. Note that there are a number of
interactions that one might support and that a standard set & method is
in the works.
•
Interaction with some other type of name server, e.g. NIS.
•
Allows manual allocation of two or more alternative IP numbers to a

single MAC address, whose use depends upon the gateway address
through which the request is relayed.
•
Ability to define the pool/pools of addresses that can be allocated
dynamically. This is pretty obvious, though someone might have a server
that forces the pool to be a whole subnet or network. Ideally, the server
does not force such a pool to consist of contiguous IP addresses.
•
Ability to associate two or more dynamic address pools on separate IP
networks (or subnets) with a single gateway address. This is the basic
support for "secondary nets", e.g. a router that is acting as a BOOTP
relay for an interface which has addresses for more than one IP network
or subnet.
•
Ability to configure groups of clients based upon client-supplied user
and/or vendor class. Note: this is a feature that might be used to assign
different client-groups on the same physical LAN to different logical
subnets.
•
Administrator-settable T1/T2 lengths.
•
Interaction with another DHCP server. Note that there are a number of
interactions that one might support and that a standard set & method is
in the works.
•
Use of PING (ICMP Echo Request) to check an address prior to
dynamically allocating it.
•
Server grace period on lease times.
•
Ability to force client(s) to get a new address rather than renew.
DHCP Discovery:

The client broadcasts on the local physical subnet to find available servers.
Network
administrators can configure a local router to forward DHCP packets to a
DHCP server on a
different subnet. This client-implementation creates a UDP packet with the
broadcast
destination of 255.255.255.255 or subnet broadcast address and also
requests its last-known
IP address (in the example below, 192.168.1.100) although the server may
ignore this optional
parameter....
DHCP Offers:
When a DHCP server receives an IP lease request from a client, it extends an
IP lease offer.
This is done by reserving an IP address for the client and broadcasting a
DHCPOFFER message
across the network. This message contains the client's MAC address, followed
by the IP
address that the server is offering, the subnet mask, the lease duration, and
the IP address of
the DHCP server making the offer.
The server determines the configuration, based on the client's hardware
address as specified in
the CHADDR field. Here the server, 192.168.1.1, specifies the IP address in
the YIADDR field.
DHCP Requests:
Whenever a computer comes on line, it checks to see if it currently has an IP
address leased. If
it does not, it requests a lease from a DHCP server. Because the client
computer does not know
the address of a DHCP server, it uses 0.0.0.0 as its own IP address and
255.255.255.255 as

the destination address. Doing so allows the client to broadcast a

DHCPDISCOVER message
across the network. Such a message consists of the client computer's Media
Access Control
(MAC) address (the hardware address built into the network card) and its
NetBIOS name.
The client selects a configuration out of the DHCP "Offer" packets it has
received and
broadcasts it on the local subnet. Again, this client requests the
192.168.1.100 address that
the server specified. In case the client has received multiple offers it specifies
the server from
which it has accepted the offer.
DHCP Acknowledgement:
When the DHCP server receives the DHCPREQUEST message from the client,
it initiates the
final phase of the configuration process. This acknowledgement phase
involves sending a
DHCPACK packet to the client. This packet includes the lease duration and
any other
configuration information that the client might have requested. At this point,
the TCP/IP
configuration process is complete.
The server acknowledges the request and sends the acknowledgement to the
client. The
system as a whole expects the client to configure its network interface with
the supplied
options.

Groups

Distribution Groups -- Used for email. Useful for programs such as MS Exchange.

Security Groups - Used to secure file/folders, printers, etc.

Local - Stored on the local SAM ( Local Computers )

Domain Local - Stored on Domain Controllers.
Global Groups - Gives you a greater group scope.
Universal - Gives you an even broader group scope.

Windows 2000 Mixed can contain:

Domain Local -- At the same time they can contain Accounts ( Any user/computer account ),
and global groups. Access to the same domain.
Global groups - They can contain Accounts ( user/computer accounts ). Access to Any domain
Universal - N/A not applicable at this DFL. Access to any domain

Windows 2000 Native or Windows 2003 DFL can contain:

Domain Local - Accounts ( users/computers ), Domain local Groups ( same domain ) , global
groups, and universal groups.

Global Groups - Accounts ( users/computers from the same domain ), Global groups ( same
domain )

Universal Groups - Accounts ( users/computers ), Global Groups, and Universal Groups.

Group Conversion

Domain Local - You can convert it to Universal ( A Domain Local group must already contain a
Domain Local group in order for the conversion to take place )
Global Group - You can convert it to Universal ( A Global group must already contain a Global
group in order for the conversion to take place )
Universal Group - You can convert it to either Domain Local, or Global Group.
Group Nesting

Same Domain

Start By adding Users to Global Groups. At the same global groups can be nested within
Domain Local Groups, and Univerisal groups.

Global Groups can also be nested within Global Groups in the same domain.

Cross-Domain Group nesting

Global Groups can be nested within Domain Local groups, or within another Universal Group in
the other domain.

Global Groups cannot be nested across domains. You cannot take a Global Group from
proprofs.local, and nest it within another global group in proprofs.com.

You cannot take a user/computer account from one domain, and nest it within a global group in
another domain.

Global Groups can be used to grant access to files/folders ( NTFS Permissions) in the same
domain, and in a different domain as well.

Domain Local groups can accept anything, except for Domain Local groups from another
domain. It accepts user accounts from the same domain, and a different domain as well. A
global/universal group from the same domain/different domain can also be nested within a
Domain Local group.

Resources - Domain Local Groups can only access resources on the domain on which it
resides. For example a domain Local group Named HelpDesk on the proprofs.local domain can
only access resources on that domain, and not on proprofs.com

Universal Groups - Accept user/computer accounts from the same domain, and a different
domain as well. A global group can also be nested within a Universal Group ( from the
same/different domain(s) )

Note: You cannot take a Domain Local Group, and nest it within a Universal Group ( from the
same/different domain(s) )

A Universal Group can be nested within another Universal Group in the same domain, and in
different domains as well. They can also be nested within Domain Local Groups in the same
domain, and in different domains as well. Universal Groups can never be a member of Universal
Groups.

Resources - It can be used to access resources ( NTFS Permissions ) on the same domain, and
in different domains as well.

One benefit of Universal Groups is that they list its members on the Global Catalog. Whenever a
change was made to a Universal Group, it updates the membership of all its members in the
Global Catalog, causing a lot of unnecessary traffic between GCs ( windows 2000 )
Windows 2003 solves the aforementioned problem by updating the membership of only the
affected member. In other words, it does not replicate all the accounts in the Universal group,
only the one you made changes to. ( Note: This new feature is only available if the Domain
Functional Level ( DFL ) is on indows 2003 )

System Center OPS Manager

Your company deploys System Center View Answer

Operations Manager 2007 agents as
part of a computer
image. You join all computers in the
company to the corporate Active
Directory domain. You need
to ensure that agents automatically
obtain settings from the corporate
Active Directory domain at
startup. Which two actions should
you perform? (Each correct answer
presents part of the
solution. Choose two.)
A. Use the MOMADAdmin utility to
publish Management Group
information to the corporate
Active Directory domain.
B. Run the Discovery Wizard. Perform
automatic computer discovery to
scan Active Directory for
installed agents.
C. Configure Auto Agent Assignment
on the target Management Server to
assign desired
computers to the target
Management Server.
D. Configure an Active Directory
Group Policy object (GPO) to publish
Management Group
information to computers in the
corporate Active Directory domain.

You install System Center Operations View

Manager 2007 on all your companies Answer
servers. You
configure Operations Manager 2007 to
monitor the health status of all applications.
The technical
support team reports that they are not
receiving e-mail notification when an
application fails. You
need to ensure that the technical support
team receives e-mail notification when an
application
fails. What should you do?
A. Create a new user role that is based on
the Advanced Operator profile. Filter a
notification
subscription to this new role.
B. Create a new user role that is based on
the Operator profile. Filter a notification
subscription to
this new role.
C. Enable e-mail notification. Create a new
notification subscription based on Alert
Aging.
D. Enable e-mail notification. Create a new
notification recipient, and then create a new
notification subscription.

Your company has two Active Directory

domains. One domain is located in the
trusted network.
The other domain is located in the perimeter
network. No trust relationship exists
between the two
domains. You deploy System Center
Operations Manager 2007 in the Active
Directory domain on
the trusted network. You manually install the
agent on an application server that resides in
the
Active Directory domain in the perimeter
network. The agent does not appear in the
Operations
Console. An error event indicates that the
agent is unable to obtain configuration
View
information from
Answer
the Management Server. You need to
configure Operations Manager 2007 to
monitor the agent.
What should you do?
A. Disable mutual authentication in the
Operations Console.
B. Perform a push installation of the agent to
the target server.
C. Configure the agent on the application
server to use certificate-based
authentication.
D. On the Management Server, configure
Auto Agent Assignment settings. Use the
MOMADAdmin utility to publish
Management Group information to the
Active Directory domain
in the perimeter network.
You deploy System Center Operations
Manager 2007 in your companies Active
Directory
domain. You manually install an Operations
Manager agent on an application server
named
Server1. Server1 is a member of the Active
Directory domain. The agent does not
appear in the
Pending Management view in the Operations
Console. An error message in the Operations
Manager Event log on Server1 indicates that
the agent is unable to obtain configuration
information from the Management Server.
You need to ensure that the agent appears in
View
the
Answer
Pending Management view in the Operations
Console. What should you do?
A. Select the Review new manual agent
installations in pending management view
option.
B. Configure the agent on Server1 to use
certificate-based authentication.
C. Add the Management Server action
account to the local Administrators group on
Server1.
Restart the Health Service on Server1.
D. Disable mutual authentication in the
Operations Console. Restart the Health
Service on
Server1.

Your company has a System Center View

Operations Manager 2007 environment. The Answer
company has
four branch offices, which are connected by
a wide area network (WAN). The routers that
connect
the branch offices to the main office
experience occasional failures. You need to
configure
Operations Manager 2007 to discover branch
office routers and to monitor for device
failure.
What should you do?
A. Perform automatic discovery by using the
Computer and Device Management Wizard
to add
the branch office routers as monitored
objects.
B. Perform advanced discovery by using the
Computer and Device Management Wizard
to add
the branch office routers as monitored
objects.
C. Run the New-CustomMonitoringObject
Power Shell command let on the
Management Server.
Use the Set-Proxy Agent command let to set
a proxy agent to remotely monitor branch
office
routers.
D. Run the New-Object Power Shell
command let on the Management Server.
Use the Set-Proxy
Agent command let to set a proxy agent to
remotely monitor branch office routers.

An improper message having the subject line View

of Exchange is sent to each user on the Answer
Exchange
Server 2007 Mailbox server named
ExchP4S1. You should clear this message
from all
mailboxes. Which action will you take?
A. From the Exchange Management Console,
create a new transport rule named Exchange
delete. Set the condition to "when the
Subject field contains Exchange". Set the
action to
"silently drop the message".
B. On ExchP4S1, find the message ID of the
original message and then run the Remove-
Message ?Identity <IDnumber> cmdlet.
C. Create a new mailbox named
TempMailbox that has a folder named
Export. Run the Get-
Mailbox ?Server ExchP4S1 | Export-Mailbox
-TargetMailbox TempMailbox -TargetFolder
Export SubjectKeywords "Exchange"
-DeleteContent cmdlet.
D. On ExchP4S1, find the message ID of the
original message and then run the Export-
Message
?Identity <IDnumber> c: emp cmdlet. Delete
all of the messages in the directory.

Microsoft Exchange Server 2007 provides View

built-in protection technologies to help keep Answer
the e-mail
system up and running and better protected
from outside threats while allowing
employees to
work from wherever they are using a variety
of clients including Microsoft Outlook,
Outlook Web Access, and mobile devices.
Your Exchange Server 2007 organization has
a
resource mailbox named ExecConfRm . All
users can schedule meetings for ExecConfRm
. You
are asked to modify the ExecConfRm settings
to make sure that only two users named
Lucy and
Lily are able to schedule meetings for
ExecConfRm. Which cmdlet will you run?
A. Set- MailboxCalendarSettings -Identity "
ExecConf Rm " - BookInPolicy Lily , Lucy -
AllBookInPolicy$false
B. Set- MailboxCalendarSettings -Identity "
ExecConf Rm " - Request InPolicy Lily , Lucy
C. Set- MailboxCalendarSettings -Identity "
ExecConf Rm " - RequestOutof Policy Lily,
Lucy -
AllBookInPolicy $false
D. Set- MailboxCalendarSettings -Identity "
ExecConf Rm " - ResourceDelegates Lily, Lucy

Exchange Server 2007 makes it easier for IT View

to deliver new capabilities to their Answer
organizations by
making the messaging environment easier to
manage and more cost efficient. In your
Exchange
Server 2007 organization, Microsoft
ActiveSync is configured on the Exchange
servers but is now
disabled for users. A user in the Exchange
organization has a new mobile device. He
would like
his device to synchronize with the Exchange
servers over a wireless network. You are
asked to
enable the ActiveSync feature for only this
user. Which two ways are possible to
accomplish this
objective?
(Each correct answer presents a complete
solution. Choose two.)
A. Run the Set-ActiveSyncMailboxPolicy
cmdlet.
B. Run the Set-CASMailbox cmdlet.
C. Use the Active Directory Users and
Computers console to enable the ActiveSync
feature for
the user.
D. Use the Exchange Management Console
to enable the ActiveSync feature for the
user.

Exchange Server 2007 offers built-in

protective technologies to keep your
business moving,
reduce spam and viruses, enable confidential
communications, and help your company to
be
compliant. You should allow the owner of
each distribution group in your Exchange
Server 2007
organization to modify membership for the
group. You needn??t to allow the owner to
make any
other changes. Which action will you take?
A. On the Managed By tab of each
distribution group, add the owner, and select
the Manager can
update membership list check box.
B. Add the user accounts of the distribution
group owners to the Exchange Recipient
Administrator role.
C. Modify each distribution group by
assigning the Send As permission to the
owners user
account.
D. Modify each distribution group by
assigning the Write permission to the owners
user account.

Windows L3 Questions
100% (1)
Windows L3 Questions
8 pages
Information Security Manual
No ratings yet
Information Security Manual
19 pages
Jai Bill Gates - 230731 - 105251
No ratings yet
Jai Bill Gates - 230731 - 105251
37 pages
AD Interview Latest
No ratings yet
AD Interview Latest
13 pages
Active Directory Enables Single Sign On To Access Resources On The Network Such As Desktops
No ratings yet
Active Directory Enables Single Sign On To Access Resources On The Network Such As Desktops
8 pages
FSMO
No ratings yet
FSMO
3 pages
Active Directory Interview Questions and Answers
100% (3)
Active Directory Interview Questions and Answers
14 pages
Active Directory Interview Questions and Answers
No ratings yet
Active Directory Interview Questions and Answers
14 pages
Exchange Installation & FSMO Roles
No ratings yet
Exchange Installation & FSMO Roles
7 pages
Flexibility Schema Operations Master (FSMO) Roles in 2008 Server
No ratings yet
Flexibility Schema Operations Master (FSMO) Roles in 2008 Server
18 pages
The 5 FSMO Roles Are As Follows
No ratings yet
The 5 FSMO Roles Are As Follows
4 pages
100 Active Directory Interview Questions With
No ratings yet
100 Active Directory Interview Questions With
14 pages
Windows AD
No ratings yet
Windows AD
42 pages
Adminpack
No ratings yet
Adminpack
20 pages
What Is Active Directory
No ratings yet
What Is Active Directory
9 pages
Active Directory Interview Questions and Answers
No ratings yet
Active Directory Interview Questions and Answers
10 pages
FSMO Roles: Back To The Top
No ratings yet
FSMO Roles: Back To The Top
4 pages
Documentation DC Migration Tool
100% (1)
Documentation DC Migration Tool
11 pages
FSMO Roles
No ratings yet
FSMO Roles
4 pages
Understanding FSMO Roles in Active Directory
No ratings yet
Understanding FSMO Roles in Active Directory
6 pages
Active Directory: Operations Masters
No ratings yet
Active Directory: Operations Masters
25 pages
Administer Window Server LU2
No ratings yet
Administer Window Server LU2
43 pages
Activedirectorydomainlivemigrationfrom2003to2012r2 151015064612 Lva1 App6891
No ratings yet
Activedirectorydomainlivemigrationfrom2003to2012r2 151015064612 Lva1 App6891
5 pages
Active Directory Questions
No ratings yet
Active Directory Questions
15 pages
FSMO Role: Schema Master
No ratings yet
FSMO Role: Schema Master
39 pages
3.1-4 Installing Active Directory
No ratings yet
3.1-4 Installing Active Directory
21 pages
New Study Materials
No ratings yet
New Study Materials
18 pages
Global Catalog
No ratings yet
Global Catalog
26 pages
Active Directory FSMO Roles
No ratings yet
Active Directory FSMO Roles
4 pages
Basics of AD, Exchange Server
No ratings yet
Basics of AD, Exchange Server
7 pages
70-640 Lesson04 PPT 041009
No ratings yet
70-640 Lesson04 PPT 041009
30 pages
Global Catalog and Flexible Single Master Operations (FSMO) Roles
No ratings yet
Global Catalog and Flexible Single Master Operations (FSMO) Roles
30 pages
Active Directory Operations Masters
100% (3)
Active Directory Operations Masters
25 pages
Network Administration Lecture 4
No ratings yet
Network Administration Lecture 4
16 pages
Question & Answers of Windows Server 2012
100% (2)
Question & Answers of Windows Server 2012
32 pages
Active Directory Trusts
No ratings yet
Active Directory Trusts
35 pages
Interview Questions
No ratings yet
Interview Questions
12 pages
50 Most Commonly Asked Windows Server Interview Questions
No ratings yet
50 Most Commonly Asked Windows Server Interview Questions
21 pages
FSMO Transfer Process
No ratings yet
FSMO Transfer Process
17 pages
Flexible Single Master Operation Roles v1.2
No ratings yet
Flexible Single Master Operation Roles v1.2
6 pages
Windows Interview Questions and Answers
100% (1)
Windows Interview Questions and Answers
19 pages
Top 17 Active Directory Interview Questions
No ratings yet
Top 17 Active Directory Interview Questions
6 pages
Introduction To Administering Operations Master Roles: Primary Domain Controller (PDC) Emulator
No ratings yet
Introduction To Administering Operations Master Roles: Primary Domain Controller (PDC) Emulator
7 pages
70-236 Lesson02 IG 030609
No ratings yet
70-236 Lesson02 IG 030609
8 pages
Active Directory Domain Services
No ratings yet
Active Directory Domain Services
10 pages
FSMO (Flexible Single Master Operations)
No ratings yet
FSMO (Flexible Single Master Operations)
3 pages
# Technical Questionnaire: Answer Yes/No Answers Domain Level: Windows 2000 Mixed
No ratings yet
# Technical Questionnaire: Answer Yes/No Answers Domain Level: Windows 2000 Mixed
6 pages
Q1.Which Is The FIVE FSMO Roles?
No ratings yet
Q1.Which Is The FIVE FSMO Roles?
8 pages
Active Directory (AD) Real Time Interview Questions and Answers
No ratings yet
Active Directory (AD) Real Time Interview Questions and Answers
8 pages
Solution For AD On-Premise AD To Azure AD
No ratings yet
Solution For AD On-Premise AD To Azure AD
4 pages
Overview of FSMO Roles
No ratings yet
Overview of FSMO Roles
2 pages
FSMO
No ratings yet
FSMO
2 pages
Windows Server Administrator
No ratings yet
Windows Server Administrator
27 pages
FSMO Role Trasnfer
No ratings yet
FSMO Role Trasnfer
19 pages
Microsoft Windows Server 2012 R2 - Administration: Managing Active Directory
No ratings yet
Microsoft Windows Server 2012 R2 - Administration: Managing Active Directory
70 pages
Active Directory Disaster Recovery
From Everand
Active Directory Disaster Recovery
Florian Rommel
No ratings yet
Living with Linux in the Industrial World
From Everand
Living with Linux in the Industrial World
Elaiya Iswera Lallan
No ratings yet
QuickStart Guide to Db2 Development with Python
From Everand
QuickStart Guide to Db2 Development with Python
Roger E. Sanders
No ratings yet
Linux Services Deployment
From Everand
Linux Services Deployment
Fabian Mestre
No ratings yet
DNS in Action
From Everand
DNS in Action
Alena KabelovÃ¡
No ratings yet
Kubernetes Made Easy
From Everand
Kubernetes Made Easy
Pankaj Joshi
No ratings yet
Security 101 - Vulnerabilities, Threats & Risk Explained - Splunk
No ratings yet
Security 101 - Vulnerabilities, Threats & Risk Explained - Splunk
3 pages
Rational Unified Process
No ratings yet
Rational Unified Process
40 pages
Automate Windows Server Backup Using Diskshadow and Rsync
No ratings yet
Automate Windows Server Backup Using Diskshadow and Rsync
5 pages
Hyperledger Fabric PDF
100% (1)
Hyperledger Fabric PDF
445 pages
Java IO Interview Questions and Answers: 1. What Are The Types of I / O Streams?
No ratings yet
Java IO Interview Questions and Answers: 1. What Are The Types of I / O Streams?
5 pages
Abhishek Kumar
No ratings yet
Abhishek Kumar
7 pages
Student Management System
100% (2)
Student Management System
20 pages
Recruitment Notification For The Post of Junior Technical Officer (IT Software)
No ratings yet
Recruitment Notification For The Post of Junior Technical Officer (IT Software)
5 pages
Vico Office R6.5 MR1 Readme
No ratings yet
Vico Office R6.5 MR1 Readme
18 pages
Soegoto 2020 IOP Conf. Ser. Mater. Sci. Eng. 879 012125
No ratings yet
Soegoto 2020 IOP Conf. Ser. Mater. Sci. Eng. 879 012125
7 pages
Database Management System: By-Karan Tiwari Bca 2 Semester
No ratings yet
Database Management System: By-Karan Tiwari Bca 2 Semester
14 pages
Web Methods Certification Overview PDF
No ratings yet
Web Methods Certification Overview PDF
5 pages
TIB Bwpluginrestjson 2.0.0 Relnotes
No ratings yet
TIB Bwpluginrestjson 2.0.0 Relnotes
18 pages
Systems Audit Template
No ratings yet
Systems Audit Template
4 pages
Using OpenLDAP With Bind9 DNS
No ratings yet
Using OpenLDAP With Bind9 DNS
20 pages
2
0% (1)
2
115 pages
Module 2-WPS Office
No ratings yet
Module 2-WPS Office
7 pages
Lec 4. Database System Approach Vs File System Approach
No ratings yet
Lec 4. Database System Approach Vs File System Approach
2 pages
Digital and Leadership Acumen
No ratings yet
Digital and Leadership Acumen
30 pages
MKT301 Sec 2 Assignment 2 Group 1
No ratings yet
MKT301 Sec 2 Assignment 2 Group 1
24 pages
HR
No ratings yet
HR
1 page
Azure DP 203
100% (1)
Azure DP 203
57 pages
Quick Start Guide
No ratings yet
Quick Start Guide
44 pages
PJM6005 Week 4 Winter 2023
No ratings yet
PJM6005 Week 4 Winter 2023
53 pages
Peer-Graded Assignment - Capstone Project
No ratings yet
Peer-Graded Assignment - Capstone Project
3 pages
Online Job Portal Report
No ratings yet
Online Job Portal Report
200 pages
Untitled
No ratings yet
Untitled
155 pages
View Count For FeedItem
No ratings yet
View Count For FeedItem
3 pages
Lecture 01
No ratings yet
Lecture 01
48 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.