22/10/2013

Windows Server 2008 AD Interview Questions

TechieBird
Home | Windows | Network | Interview Questions | Database | Virtualization | Knowledge Base | Contact Us
Quick Links
Windows 2003 KB
Windows 2008 KB
Windows 2012 KB
Exchange Q&A

Latest Active Directory Interview Questions

Virtualization

> What are the physical components of Active Directory ?

Network Interview
Questions
SQL Interview
Questions
Windows Admin
Interview Q&A
Windows Forum
Other Links
DNS FAQ's
DHCP FAQ's
Active Directory
FAQ's
AD History
Configuring New
Domain
Deleted Object
Recovery in AD

Domain controllers and Sites. Domain controllers are physical computers which is running Windows Server
operating system and Active Directory data base. Sites are a network segment based on geographical
location and which contains multiple domain controllers in each site.
> What are the logical components of Active Directory ?
Domains, Organizational Units, trees and forests are logical components of Active Directory.
> What are the Active Directory Partitions ?
Active Directory database is divided into different partitions such as Schema partition, Domain partition, and
Configuration partition. Apart from these partitions, we can create Application partition based on the
requirement.
> What is group nesting ?
Adding one group as a member of another group is called 'group nesting'. This will help for easy
administration and reduced replication traffic.
> What is the feature of Domain Local Group ?
Domain local groups are mainly used for granting access to network resources.A Domain local group can
contain accounts from any domain, global groups from any domain and universal groups from any domain.
For example, if you want to grant permission to a printer located at Domain A, to 10 users from Domain B,
then create a Global group in Domain B and add all 10 users into that Global group. Then, create a Domain
local group at Domain A, and add Global group of Domain B to Domain local group of Domain A, then, add
Domain local group of Domain A to the printer(of Domain A) security ACL.
>How will you take Active Directory backup ?

Global Catalog Server

Active Directory is backed up along with System State data. System state data includes Local registry,
COM+, Boot files, NTDS.DIT and SYSVOL folder. System state can be backed up either using Microsoft's
default NTBACKUP tool or third party tools such as Symantech NetBackup, IBM Tivoli Storage Manager etc.

NetDom Command

> What is Lost and Found Container ?

Replmon Command
NTDS Utility Guide

In multimaster replication method, replication conflicts can happen. Objects with replication conflicts will be
stored in a container called 'Lost and Found' container. This container also used to store orphaned user
accounts and other objects.

FSMO Guide

> Do we use clustering in Active Directory ? Why ?

FSMO Failure

No one installs Active Directory in a cluster. There is no need of clustering a domain controller. Because
Active Directory provides total redundancy with two or more servers.

Network KB

> What is Active Directory Recycle Bin ?

Knowledge Base
Home

Active Directory Recycle bin is a feature of Windows Server 2008 AD. It helps to restore accidentally
deleted Active Directory objects without using a backed up AD database, rebooting domain controller or
restarting any services.

Active Directory Trust

> What is RODC ? Why do we configure RODC ?

Group Policy Guide

Read only domain controller (RODC) is a feature of Windows Server 2008 Operating System. RODC is a
read only copy of Active Directory database and it can be deployed in a remote branch office where
physical security cannot be guaranteed. RODC provides more improved security and faster log on time for
the branch office.

IIS 6.0
RAID Levels

www.techiebird.com/ad12.html

> How do you check currently forest and domain functional levels? Say both GUI and Command
line.
1/3

22/10/2013

RPC Guide

Windows Server 2008 AD Interview Questions

line.

Domain & Forest

Functional Levels

To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain name
and take properties. Both domain and forest functional levels will be listed there. TO find out forest and
domain functional levels, you can use DSQUERY command.

SQL Failover Cluster

> Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory ?

Hyper-V

All versions of Windows Server Active Directory use Kerberos 5.

Print Server

> Name few port numbers related to Active Directory ?

Kerberos 88, LDAP 389, DNS 53, SMB 445

BitLocker

> What is an FQDN ?

PowerShell

FQDN can be expanded as Fully Qualified Domain Name.It is a hierarchy of a domain name system which
points to a device in the domain at its left most end. For example in system.

Planning Trust
Creating Trust

> Have you heard of ADAC ?

ADAC- Active Directory Administrative Center is a new GUI tool came with Windows Server 2008 R2, which
provides enhanced data management experience to the admin. ADAC helps administrators to perform
common Active Directory object management task across multiple domains with the same ADAC instance.
> How many objects can be created in Active Directory? (both 2003 and 2008)
As per Microsoft, a single AD domain controller can create around 2.15 billion objects during its lifetime.
> explain the process between a user providing his Domain credential to his workstation and the
desktop being loaded? Or how the AD authentication works ?
When a user enters a user name and password, the computer sends the user name to the KDC. The KDC
contains a master database of unique long term keys for every principal in its realm. The KDC looks up the
user's master key (KA), which is based on the user's password. The KDC then creates two items: a
session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second
copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own
master key (KKDC), which only the KDC knows. The client computer receives the information from the
KDC and runs the user's password through a one-way hashing function, which converts the password into
the user's KA. The client computer now has a session key and a TGT so that it can securely communicate
with the KDC. The client is now authenticated to the domain and is ready to access other resources in the
domain by using the Kerberos protocol.
> What Is Urgent Replication And When Is It Used ?
You probably know how Active Directory core replication works. When theres an object changed, the
source DC, the one that serviced the change request, notifies its direct replication neighbours that there
was a change to some object. The neighbors then start the replication process by requesting the changes
made since the last replication.
Important to know is, that there is a notification delay between the actual change to the objects in the
directory and the notification sent to the replication partners. Server 2003 DCs wait 15 seconds before
they fire out the change notification. This delay is there to only send one change notification once the
change transaction to the object is done. If there are multiple changes made to an object, lets say the
phone number, the home town and the employeeID of a user and the changes were made in 1 second
delay each, we only send one change notification for those three changes. If there was no notification delay
and we waited a second between the changes to a users attributes, the source DC were sending three
change notifications to its partners. Too much traffic there! Note that the default change notificaction delay
in Windows 2000 was 5 minutes (the numbers may differ depending on installation type (upgrade from
2000 to 2003, forest functional level, ).
Given that fact, one can think of several scenarios which may lead to problem since the change to the
directory is not replicated right away: user Password changes, user lockout, Password Policy changed,
For this reason, theres urgent replication. Urgent replication works in the same way normal replication
does, but has no notification delay of a few seconds/minutes. That makes urgent changes that need to
be distributed thrughout the sites and DCs to get more quickly to all edges. Urgent replication takes place in
the following cases:
The Password Policy or account lockout policy of a domain has changed
The LSA secret has changed (thats used for the secure channels between machines and DCs and
trusts)
a user or computer is locked out due to a failed logon attempt (in this case, the urgent replication is
used to notify the DC with the PDC emulator role first and then to all others)
the RID master has changed
So if one of the mentioned events take place, urgent replication takes place and theres no notification
delay prior to change notification of neighbour DCs.

www.techiebird.com/ad12.html

2/3

22/10/2013

Windows Server 2008 AD Interview Questions

> Which FSMO role directly impacting the consistency of Group Policy ?
PDC Emulator.
> I want to promote a new additional Domain Controller in an existing domain. Which are the
groups I should be a member of ?
You should be a member of Enterprise Admins group or the Domain Admins group. Also you should be
member of local Administrators group of the member server which you are going to promote as additional
Domain Controller.
> Tell me one easiest way to check all the 5 FSMO roles ?
Use netdom query /domain:YourDomain FSMO command. It will list all the FSMO role handling domain
controllers.
Recommend this on Google

GET

FR EE

PAYMENT

GAT EWAY

Zero Setup Fees,All Payment Options No Transaction Charges, Try

Continue Next Questions

Previous Questions
Comments
Name
Enter your comment here

Comment

by Htm l C om m e nt Box

No one has commented yet. Be the first!

Windows Home || Network Home || Database Home

Designed by TechieBird

www.techiebird.com/ad12.html

3/3