1.

What is Active Directory ?

Active Directory is a database which store a data base like your user information, computer
information and also other network object info. It has capabilities to manage and administer the
complete Network which connect with AD.
2.
What is domain ?
A domain is a named collection of hosts and subdomains, registered with a unique name by the
InterNIC.
3.
What is domain controller ?
A Domain controller (DC) is a server that responds to security authentication requests (logging in,
checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in
Windows NT whereby a user may be granted access to a number of computer resources with the use
of a single username and password combination
4.
What is LDAP ?
Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making
Active Directory widely accessible to management and query applications. Active Directory supports
LDAPv3 and LDAPv2.
5.
What is KCC ?
KCC ( knowledge consistency checker ) is used to generate replication topology for inter site
replication and for intra site replication with in a site replication traffic is done via remote procedure
calls over ip, while between site it is done through either RPC or SMTP.
6.
Where is the AD database held? What other folders are related to AD?
The AD data base is store in c:\windows\ntds\NTDS.DIT.
7.
What is the use of SYSVOL folder?
The SYSVOL folder stores the server's copy of the domain's public files. The contents such as group
policy, users etc of the SYSVOL folder are replicated to all domain controllers in the domain.
8.
What is LSDOU ?
Its group policy inheritance model, where the policies are applied to Local machines, Sites, Domains
and Organizational Units
9.
What is lost & found folder in ADS ?
Its the folder where you can find the objects missed due to conflict. Ex: you created a user in OU
which is deleted in other DC & when replication happed ADS didnt find the OU then it will put that in
Lost & Found Folder.
10.
What is Garbage collection ?
Garbage collection is the process of the online defragmentation of active directory. It happens every
12 Hours
11.
What System State data contains ?
1. Contains Startup files,
2. Registry
3. Com + Registration Database
4. Memory Page file
5. System files
6. AD information
7. Cluster Service information
8. SYSVOL Folder
12.
What is the use of LDAP ?
LDAP is designed to allow for the transfer of information between domain controllers and to allow
users to query information about objects within the directory.
13.
What is the purpose of replication in AD ?
The purpose of replication is to distribute the data stored within the directory throughout the
organization for increased availability, performance, and data protection. Systems administrators can
tune replication to occur based on their physical network infrastructure and other constraints.
14.
What is global catalog ?
The Global Catalog is a database that contains all of the information pertaining to objects within all
domains in the Active Directory environment.
15.
What is DNS Zones ?
A DNS zone is a portion of the DNS namespace over which a specific DNS server has authority.
16.
What is a site ?
one or more well-connected highly reliable and fast TCP/IP subnets. A site allows administrator to
configure active directory access and replication topology to take advantage of the physical network.


17.
What is Active Directory Schema ?
The Active Directory schema contains formal definitions of every object class that can be created in an
Active Directory forest. it also contains formal definitions of every attribute that can exist in an Active
Directory Object.
18.
What are the benefits of AD integrated DNS ?
1. A few advantages that Acrive Directory-integrated zone implementations have over
standard primary zone implementation are :
2. Active Directory replication is faster, which means that the time needed to transfer zone
data between zones is farless.
3. The Active Directory replication topology is used for Active Directory replication, and for
Active Directory- integrated zone replication. There is no longer a need for DNS
replication when DNS and Active Directory are integrated.
19.
What is File Replication Service (FRS)
File Replication Service is a Microsoft service which replicates folders stored in sysvol shared folders on
domain controllers and distributed file system shared folders. This service is a part of Microsoft's
Active Directory Service.
20.
Explain different zone involved in DNS Server?
DNS has two different Zones Forward Lookup Zone and Reverse Lookup Zone. There two Zones are
categorized into three zones and are as follows:
Primary zone: It contains the read and writable copy of the DNS Database.
Secondary Zone: It acts as a backup for the primary zone and contains the read only copy of the DNS
database.
Stub zone: It is also read-only like a secondary zone; stub zone contains only SOA, copies of NS and A
records for all name servers authoritative for the zone
21.
What is the difference between local, global and universal groups ?
Domain local groups assign access permissions to global domain groups for local domain resources.
Global groups provide access to resources in other trusted domains. Universal groups grant access to
resoures in all trusted domains.
22.
What is RPC protocol ?
A protocol RPC (Remote Procedure Call) used to allow communications between system process on
remote computers. The RPC protocol is used by the Active Directory for intrasite replication.



23.
What is Resource Record ?
Resource Record (RR) is a DNS entry that specifies the availability of specific DNS services.For
Example, an MX record specifies the IP address of a mail server, and Host (A) records specify the IP
addresses of workstations on the network.
24.
What is a Tree ?
A set of Active Directory domains that share a common namespace and are connected by a transitive
two-way trust. Resources can be shared between the domains in an Active Directory.
25.
What is REPADMIN ?
This command-line tool assists administrators in diagnosing replication problems between windows
domain conrollers. Administrators can use Repadmin to view the replication topology as seen from the
perspective of each domain contrsoller.
26.
Is the DNS protocol involved when a user's pings a website name?
Yes it is involved. When the user pings the website name, a DNS request packet is sent to the DNS
server which would then respond with the IP address of the web server on which the website is
hosted.
27.
On a network, should the DNS server IP address be configured on the computer or
the internet router for users to browse the internet?
The DNS server IP address should be configured on the computer for the users to browse the internet.
28.
In a LAN network should the DNS server be inside the network or can it reside on
the internet?
The DNS server can reside anywhere as long as the computers and devices requiring DNS service
have network access to it.
29.
How does a computer know to which DNS server it has to send the request?
The DNS server IP address is configured on the TCP/IP adapter setting of the computer. With this
information, the computer knows the DNS server to which the request has to be sent.
30.
What are the requirements for installing AD on a new server?
The Domain structure.
The Domain Name .
storage location of the database and log file.
Location of the shared system volume folder.
DNS config Methode.
DNS configuration.
31.
Which port does a DNS Server Use?
UDP port 53

32.
A user opens the browser and types the IP address of the webserver on
which a website is hosted. Is DNS protocol involved during the scenario?
The DNS protocol is used to resolve the website name into the corresponding IP address. In
this case, since the IP address is already known, DNS protocol is not required and is not
involved in the scenario.

33.
Name two methods by which DNS can be configured on a computer.
It can be manually configured on the TCP/IP adapter or by a DHCP server.

34.
If a computer is configured with a default gateway address, should the
same address be used as the DNS server IP address ?
It is not mandatory. The DNS server IP address can be any value provided the computer has
access to it.

35.
What is sites ? What are they used for ?
One or more well-connected (highly reliable and fast) TCP/IP subnets.
A site allows administrators to configure Active Directory access and replication topology to
take advantage of the physical network.
A Site object in Active Directory represents a physical geographic location that hosts
networks. Sites contain objects called Subnets.
Sites can be used to Assign Group Policy Objects, facilitate the discovery of resources,
manage active directory replication, and manage network link traffic.

36.
Trying to look at the Schema, how can I do that ?
register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc > add snapin > add Active directory schema
name it as schema.msc
Open administrative tool > schema.msc

37.
What is the port no of Kerberos ?
88

38.
What is the port no of Global catalog ?
3268
39.
How can you forcibly remove AD from a server, and what do you do later? ?
Can I get user passwords from the AD database?
Dcpromo /forceremoval , an administrator can forcibly remove Active Directory and roll back
the system without having to contact or replicate any locally held changes to another DC in
the forest. Reboot the server then After you use the dcpromo /forceremoval command, all
the remaining metadata for the demoted DC is not deleted on the surviving domain
controllers, and therefore you must manually remove it by using the NTDSUTIL command.
In the event that the NTDS Settings object is not removed correctly you can use the
Ntdsutil.exe utility to manually remove the NTDS Settings object. You will need the following
tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and
Computers.
40.
How many root DNS servers are available in the world
13.
41.
What are the FSMO roles?
Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master
42.
What is domain tree ?
Domain Trees: A domain tree comprises several domains that share a common schema and
configuration, forming a contiguous namespace. Domains in a tree are also linked together by trust
relationships. Active Directory is a set of one or more trees.
Trees can be viewed two ways. One view is the trust relationships between domains. The other view is
the namespace of the domain tree.
43.
What is forests ?
A collection of one or more domain trees with a common schema and implicit trust relationships
between them. This arrangement would be used if you have multiple root DNS addresses.
44.
How to Select the Appropriate Restore Method ?
You select the appropriate restore method by considering:
Circumstances and characteristics of the failure. The two major categories of failure, From an Active
Directory perspective, are Active Directory data corruption and hardware failure.
Active Directory data corruption occurs when the directory contains corrupt data that has been
replicated to all domain controllers or when a large portion of the Active Directory hierarchy has been
changed accidentally (such as deletion of an OU) and this change has replicated to other domain
controllers.
45.
Where are the Windows NT Primary Domain Controller (PDC) and its Backup
Domain Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read
and write relationship that hosts copies of the Active Directory.
46.
What is Global Catalog?
The Global Catalog authenticates network user logons and fields inquiries about objects across a forest
or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000,
there was typically one GC on every site in order to prevent user logon failures across the network.
47.
How long does it take for security changes to be replicated among the domain
controllers?
Security-related modifications are replicated within a site immediately. These changes include account
and individual user lockout policies, changes to password policies, changes to computer account
passwords, and modifications to the Local Security Authority (LSA).
48.
When should you create a forest?
Organizations that operate on radically different bases may require separate trees with distinct
namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations
merge or are acquired and naming continuity is desired. Organizations form partnerships and joint
ventures. While access to common resources is desired, a separately defined tree can enforce more
direct administrative and security restrictions.
49.
Describe the process of working with an external domain name ?
If it is not possible for you to configure your internal domain as a subdomain of your external domain,
use a stand-alone internal domain. This way, your internal and external domain names are unrelated.
For example, an organization that uses the domain name contoso.com for their external namespace
uses the name corp.internal for their internal namespace.
The advantage to this approach is that it provides you with a unique internal domain name. The
disadvantage is that this configuration requires you to manage two separate namespaces. Also, using
a stand-alone internal domain that is unrelated to your external domain might create confusion for
users because the namespaces do not reflect a relationship between resources within and outside of
your network.
In addition, you might have to register two DNS names with an Internet name authority if you want to
make the internal domain publicly accessible.

50.
One easiest way to check all the 5 FSMO roles ?
Use netdom query /domain:YourDomain FSMO command. It will list all the FSMO role handling domain
controllers.
51.
Which FSMO role directly impacting the consistency of Group Policy ?
PDC Emulator.
52.
Explain the process between a user providing his Domain credential to his
workstation and the desktop being loaded? Or how the AD authentication works ?
When a user enters a user name and password, the computer sends the user name to the KDC. The
KDC contains a master database of unique long term keys for every principal in its realm. The KDC
looks up the user's master key (KA), which is based on the user's password. The KDC then creates
two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT
includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket
by using its own master key (KKDC), which only the KDC knows. The client computer receives the
information from the KDC and runs the user's password through a one-way hashing function, which
converts the password into the user's KA. The client computer now has a session key and a TGT so
that it can securely communicate with the KDC. The client is now authenticated to the domain and is
ready to access other resources in the domain by using the Kerberos protocol.
53.
Name few port numbers related to Active Directory ?
Kerberos 88, LDAP 389, DNS 53, SMB 445.
54.
Which version of Kerberos is used for Windows 2000/2003 and 2008 Active
Directory ?
All versions of Windows Server Active Directory use Kerberos 5.
55.
How do you check currently forest and domain functional levels? Say both GUI and
Command line.
To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain
name and take properties. Both domain and forest functional levels will be listed there. TO find out
forest and domain functional levels, you can use DSQUERY command.
56.
What is RODC ? Why do we configure RODC ?
Read only domain controller (RODC) is a feature of Windows Server 2008 Operating System. RODC is
a read only copy of Active Directory database and it can be deployed in a remote branch office where
physical security cannot be guaranteed. RODC provides more improved security and faster log on time
for the branch office.

57.
What is Active Directory Recycle Bin ?
Active Directory Recycle bin is a feature of Windows Server 2008 AD. It helps to restore accidentally
deleted Active Directory objects without using a backed up AD database, rebooting domain controller
or restarting any services.
58.
What is group nesting ?
Adding one group as a member of another group is called 'group nesting'. This will help for easy
administration and reduced replication traffic.
59.
What are the logical components of Active Directory ?
Domains, Organizational Units, trees and forests are logical components of Active Directory.
60.
Can you connect Active Directory to other 3rd-party Directory Services? Name a
few options?
Yes, you can use dirXML or LDAP to connect to other directories. In Novell you can use E-directory.
61.
How do you create a new application partition ?
Use the DnsCmd command to create an application directory partition.
To do this, use the following syntax:
DnsCmd ServerName /CreateDirectoryPartition FQDN of partition
62.
Difference between LDIFDE and CSVDE?
CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-
formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to
length into this powerful command, but I will show you some basic samples of how to import a large
number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just
import users. Consult your help file for more info.
LDIFDE is a command that can be used to import and export objects to and from the AD into a LDIF-
formatted file. A LDIF (LDAP Data Interchange Format) file is a file easily readable in any text editor,
however it is not readable in programs like Excel. The major difference between CSVDE and LDIFDE
(besides the file format) is the fact that LDIFDE can be used to edit and delete existing AD objects
(not just users), while CSVDE can only import and export objects.
63.
What are the DS* commands ?
The following DS commands: the DS family built in utility .
1. DSmod - modify Active Directory attributes.
2. DSrm - to delete Active Directory objects.
3. DSmove - to relocate objects
4. DSadd - create new accounts
5. DSquery - to find objects that match your query attributes.
6. DSget - list the properties of an object
64.
What are System State data contains ?
1. Contains Startup files
2. Registry
3. Com + Registration Database
4. Memory Page file
5. System files
6. AD information
7. Cluster Service information
8. SYSVOL Folder
65.
What is lost & found folder in ADS ?
It's the folder where you can find the objects missed due to conflict. Ex: you created a user in OU
which is deleted in other DC & when replication happed ADS didn't find the OU then it will put that in
Lost & Found Folder.
66.
What Intrasite and Intersite Replication ?
Intrasite is the replication with in the same site & intersite the replication between sites.
67.
Which is service in your windows is responsible for replication of Domain
controller to another domain controller?
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.
68.
What is LSDOU ?
It's group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains
and Organizational Units.
69.
How to look at the Schema ?
register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc --> add snapin --> add Active directory schema
name it as schema.msc
Open administrative tool --> schema.msc
70.
What is BridgeHead Server in AD ?
A bridgehead server is a domain controller in each site, which is used as a contact point to receive and
replicate data between sites. For intersite replication, KCC designates one of the domain controllers as
a bridgehead server. In case the server is down, KCC designates another one from the domain
controller. When a bridgehead server receives replication updates from another site, it replicates the
data to the other domain controllers within its site.