Active Directory FAQ

Q. What is Active Directory?

Active Directory is the directory service used by Windows 2000. A directory service is a centralized, hierarchical database that contains information about users and resources on a network. In Windows 2000, this database is called the Active Directory data store. The Active Directory data store contains information about various types of network objects, including printers, shared folders, user accounts, groups, and computers. In a Windows 2000 domain, a read/write copy of the Active Directory data store is physically located on each domain controller in the domain.

Three primary purposes of Active Directory are:

• · To provide user logon and authentication services
• · To enable administrators to organize and manage user accounts groups, and network resources
• · To enable authorized users to easily locate network resources, regardless of where they are located on the network

A directory service consists of two parts—a centralized, hierarchical database that contains information about users and resources on a network, and a service that manages the database and enables users of computers on the network to access the database. In Windows 2008, the database is called the Active Directory data store, or sometimes just the directory. The Active Directory data store contains information about various types of network objects, including printers, shared folders, user accounts, groups, and computers. Windows 2000 Server computers that have a copy of the Active Directory data store, and that run Active Directory are called domain controllers. In a Windows 2008 domain, a read/write copy of the Active Directory data store is physically located on each domain controller in the domain.

Q. What are the physical components of active directory?

Logical Components of Active Directory

In creating the hierarchical database structure of Active Directory, Microsoft facilitated locating resources such as folders and printers by name rather than by physical location. These logical building blocks include domains, trees, forests, and OUs. The physical location of objects within Active Directory is represented by including all objects in a given location in its own site. Because a domain is the basic unit on which Active Directory is built, the domain is introduced first; followed by trees and forests (in which domains are located); and then OUs, which are containers located within a domain.

Domain:

A domain is a logical grouping of networked computers in which one or more of the computers has one or more shared resources, such as a shared folder or a shared printer, and in which all of the computers share a common central domain directory database that contains user account security information. One distinct advantage of using a domain, particularly on a large network, is that administration of user account security for the entire network can be managed from a centralized location. In a domain, a user has only one user account, which is stored in the domain directory database. This user account enables the user to access shared resources (that the user has permissions to access) located on any computer in the domain

Active Directory domains can hold millions of objects, as opposed to the Windows NT domain structure, which was limited to approximately 40,000 objects. As in previous versions of Active Directory, the Active Directory database file (ntds.dit) defines the domain. Each domain has its own ntds.dit file, which is stored on (and replicated among) all domain controllers by a process called multimaster replication. The domain controllers manage the configuration of domain security and store the directory services database. This arrangement permits central administration of domain account privileges, security, and network resources. Networked devices and users belonging to a domain validate with a domain controller at startup. All computers that refer to a specific set of domain controllers make up the domain. In addition, group accounts such as global groups and domain local groups are defined on a domain-wide basis.

Trees

A tree is a group of domains that shares a contiguous namespace. In other words, a tree consists of a parent domain plus one or more sets of child domains whose name reflects that of a parent. For example, a parent domain namedexamcram.com can include child domains with names such as products.examcram.com, sales.examcram.com, andmanufacturing.examcram.com. Furthermore, the tree structure can contain grandchild domains such asamerica.sales.examcram.com or europe.sales.examcram.com, and so on, as shown in Figure 1-2. A domain calledque.com would not belong to the same tree. Following the inverted tree concept originated by X.500, the tree is structured with the parent domain at the top and child domains beneath it. All domains in a tree are linked with two-way, transitive trust relationships; in other words, accounts in any one domain can access resources in another domain and vice versa.

Forests

A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees. As such, forests have the following characteristics:

• All domains in a forest share a common schema.
• All domains in a forest share a common global catalog.
• All domains in a forest are linked by implicit two-way transitive trusts.

Trees in a forest have different naming structures, according to their domains. Domains in a forest operate independently, but the forest enables communication across the entire organization.

Organizational Unit:

An organizational unit (OU) is a container used to organize objects within one domain into logical administrative groups. An OU can contain objects such as user accounts, groups, computers, printers, applications, shared folders, and other OUs from the same domain. OUs are represented by a folder icon with a book inside. The Domain Controllers OU is created by default when Active Directory is installed to hold new Microsoft Windows Server 2003 domain controllers. OUs can be added to other OUs to form a hierarchical structure; this process is known as nesting OUs. Each domain has its own OU structure—the OU structure within a domain is independent of the OU structures of other domains.

There are three reasons for defining an OU:

• To delegate administration – In the Windows Server 2003 operating system, you can delegate administration for the contents of an OU (all users, computers, or resource objects in the OU) by granting administrators specific permissions for an OU on the OU’s access control list.
• To administer Group Policy
• To hide object

Physical Components of Active Directory

There are two physical components of Active Directory:

• Domain Controllers
• Sites

Domain Controllers

Any server on which you have installed Active Directory is a domain controller. These servers authenticate all users logging on to the domain in which they are located, and they also serve as centers from which you can administer Active Directory in Windows Server 2008. A domain controller stores a complete copy of all objects contained within the domain, plus the schema and configuration information relevant to the forest in which the domain is located. Unlike Windows NT, there are no primary or backup domain controllers. Similar to Windows 2000 and Windows Server 2003, all domain controllers hold a master, editable copy of the Active Directory database.

Every domain must have at least one DC. A domain may have more than one DC; having more than one DC provides the following benefits:

• Fault tolerance: If one domain controller goes down, another one is available to authenticate logon requests and locate resources through the directory.
• Load balancing: All domain controllers within a site participate equally in domain activities, thus spreading out the load over several servers. This configuration optimizes the speed at which requests are serviced.

Sites

By contrast to the logical grouping of Active Directory into forests, trees, domains, and OUs, Microsoft includes the concept of sites to group together resources within a forest according to their physical location and/or subnet. A siteis a set of one or more IP subnets, which are connected by a high-speed, always available local area network (LAN) link. Figure 1-5 shows an example with two sites, one located in Chicago and the other in New York. A site can contain objects from more than one tree or domain within a single forest, and individual trees and domains can encompass more than one site. The use of sites enables you to control the replication of data within the Active Directory database as well as to apply policies to all users and computers or delegate administrative control to these objects within a single physical location. In addition, sites enable users to be authenticated by domain controllers in the same physical location rather than a distant location as often as possible. You should configure a single site for all work locations connected within a high-speed, always available LAN link and designate additional sites for locations separated from each other by a slower wide area network (WAN) link. Using sites permits you to configure Active Directory replication to take advantage

of the high-speed connection. It also enables users to connect to a domain controller using a reliable, high-speed connection.

Q. What are the components of Active Directory:

Object:

An object is any specific item that can be cataloged in Active Directory. Examples of objects include users, computers, printers, folders, and files. These items are classified by a distinct set of characteristics, known asattributes. For example, a user can be characterized by the username, full name, telephone number, email address, and so on. Note that, in general, objects in the same container have the same types of attributes but are characterized by different values of these attributes. The Active Directory schema defines the extent of attributes that can be specified for any object.

Classes

The Active Directory service, in turn, classifies objects into classes. These classes are logical groupings of similar objects, such as users. Each class is a series of attributes that define the characteristics of the object.

Schemas

The schema is a set of rules that define the classes of objects and their attributes that can be created in Active Directory. It defines what attributes can be held by objects of various types, which of the various classes can exist, and what object class can be a parent of the current object class. For example, the User class can contain user account objects and possess attributes such as password, group membership, home folder, and so on.

When you first install Active Directory on a server, a default schema is created, containing definitions of commonly used objects and properties such as users, computers, and groups. This default schema also contains definitions of objects and properties needed for the functioning of Active Directory.

Global catalog

A global catalog server is a domain controller that has an additional duty—it maintains a global catalog. A global catalog is a master, searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest.

• A global catalog server performs two important functions:
• Provides group membership information during logon and authentication
• Helps users locate resources in Active Directory

Q. What are the protocols used by AD?

Because Active Directory is based on standard directory access protocols, such as Lightweight Directory Access Protocol (LDAP) version 3, and the Name Service Provider Interface (NSPI), it can interoperate with other directory services employing these protocols.

LDAP is the directory access protocol used to query and retrieve information from Active Directory. Because it is an industry-standard directory service protocol, programs can be developed using LDAP to share Active Directory information with other directory services that also support LDAP.

The NSPI protocol, which is used by Microsoft Exchange 4.0 and 5.x clients, is supported by Active Directory to provide compatibility with the Exchange directory.

Q. Minimum requirement to install Win 2008 AD?

1. An NTFS partition with enough free space
2. An Administrator’s username and password
3. The correct operating system version
4. A NIC
5. Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway)
6. A network connection (to a hub or to another computer via a crossover cable)
7. An operational DNS server (which can be installed on the DC itself)
8. A Domain name that you want to use

Q. How do you verify whether the AD installation is proper?

1. Default containers: These are created automatically when the first domain is created. Open Active Directory Users and Computers, and then verify that the following containers are present: Computers, Users, andForeignSecurityPrincipals.
2. Default domain controllers organizational unit: Open Active Directory Users and Computers, and then verify this organizational unit.
3. Default-First-Site-Name
4. Active Directory database: The Active Directory database is your Ntds.dit file. Verify its existence in the %Systemroot%\Ntds folder.
5. Global catalog server: The first domain controller becomes a global catalog server, by default. To verify this item:

• a. Click Start, point to Programs, click Administrative Tools, and then click Active Directory Sites and Services.
• b. Double-click Sites to expand it, expand Servers, and then select your domain controller.
• c. Double-click the domain controller to expand the server contents.
• d. Below the server, an NTDS Settings object is displayed. Right-click the object, and then click Properties.
• e. On the General tab, you can observe a global catalog check box, which should be selected, by default.

Root domain: The forest root is created when the first domain controller is installed. Verify your computer network identification in My Computer. The Domain Name System (DNS) suffix of your computer should match the domain name that the domain controller belongs to. Also, ensure that your computer registers the proper computer role. To verify this role, use the net accounts command. The computer role should say “primary” or “backup” depending on whether it is the first domain controller in the domain.

Shared system volume: A Windows 2000 domain controller should have a shared system volume located in the %Systemroot%\Sysvol\Sysvol folder. To verify this item, use the net share command. The Active Directory also creates two standard policies during the installation process: The Default Domain policy and the Default Domain Controllers policy (located in the %Systemroot%\Sysvol\Domain\Policies folder). These policies are displayed as the following globally unique identifiers (GUIDs):

{31B2F340-016D-11D2-945F-00C04FB984F9} representing the Default Domain policy
{6AC1786C-016F-11D2-945F-00C04fB984F9} representing the Default Domain Controllers policy

SRV resource records: You must have a DNS server installed and configured for Active Directory and the associated client software to function correctly. Microsoft recommends that you use Microsoft DNS server, which is supplied with Windows 2000 Server as your DNS server. However, Microsoft DNS server is not required. The DNS server that you use must support the Service Resource Record (SRV RR) Requests for Comments (RFC) 2052, and the dynamic update protocol (RFC 2136). Use the DNS Manager Microsoft Management Console (MMC) snap-in to verify that the appropriate zones and resource records are created for each DNS zone. Active Directory creates its SRV RRs in the following folders:

• _Msdcs/Dc/_Sites/Default-first-site-name/_Tcp
• _Msdcs/Dc/_Tcp

In these locations, an SRV RR is displayed for the following services:

• o _kerberos
• o _ldap

Q. What is LDAP?

Short for Lightweight Directory Access Protocol, a set of protocols for accessing information directories. LDAP is based on the standards contained within the X.500 standard, but is significantly simpler. And unlike X.500, LDAP supports TCP/IP, which is necessary for any type of Internet access. Because it’s a simpler version of X.500, LDAP is sometimes called X.500-lite.

Q. What is FRS (File replication services)?

The File Replication Service (FRS) replicates specific files using the same multi-master model that Active Directory uses. It is used by the Distributed File System for replication of DFS trees that are designated as domain root replicas. It is also used by Active Directory to synchronize content of the SYSVOL volume automatically across domain controllers. The reason the FRS service replicates contents of the SYSVOL folder is so clients will always get a consistent logon environment when logging on to the domain, no matter which domain controller actually handles the request. When a client submits a logon request, he or she submits that request for authentication to the SYSVOL directory. A subfolder of this directory, called \scripts, is shared on the network as the netlogon share. Any logon scripts contained in the netlogon share are processed at logon time. Therefore, the FRS is responsible for all domain controllers providing the same logon directory structure to clients throughout the domain.

Q. Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.

Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictonaries used by SAP, Domino etc with the help of MIIS ( Microsoft Identity Integration Server )
you can use dirXML or LDAP to connect to other directories (ie. E-directory from Novell).

Q. Where is the AD database held? What other folders are related to AD?

AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure

• ntds.dit
• edb.log
• res1.log
• res2.log
• edb.chk

When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database.

During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in theedb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database.

The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we’ve discussed.

Q. What is the SYSVOL folder?

The SYSVOL folder is critical because it contains the domain’s public files. This directory is shared out (as SYSVOL), and any files kept in the SYSVOL folder are replicated to all other domain controllers in the domain using the File Replication Service (FRS)—and yes, that’s important to know on the exam.

The SYSVOL folder also contains the following items:

• The NETLOGON share, which is the location where domain logon requests are submitted for processing, and where logon scripts can be stored for client processing at logon time.
• Windows Group Policies
• FRS folders and files that must be available and synchronized between domain controllers if the FRS is in use. Distributed File System (DFS), for example, uses the FRS to keep shared data consistent between replicas.

You can go to SYSVOL folder by typing : %systemroot%/sysvol on DC.

Q. Name the AD NCs and replication issues for each NC

*Schema NC, *Configuration NC, * Domain NC

Schema NC: This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.

Configuration NC: Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.

Domain NC: This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.

Q. What are application partitions? When do I use them?

A1) Application Directory Partition is a partition space in Active Directory which an application can use to store that application specific data. This partition is then replicated only to some specific domain controllers.

The application directory partition can contain any type of data except security principles (users, computers, groups).

**A2) These are specific to Windows Server 2003 domains.
An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition.

Q. How do you create a new application partition?

The DnsCmd command is used to create a new application directory partition. Ex. to create a partition named “NewPartition” on the domain controller DC1.contoso.com, log on to the domain controller and type following command.

DnsCmd DC1/createdirectorypartition NewPartition.contoso.com

Q. How do you view replication properties for AD partitions and DCs?

By using replication monitor

go to start > run > type replmon

Q. What is the Global Catalog?

The global catalog is the central repository of information about objects in a tree or forest. By default, a global catalog is created automatically on the initial domain controller in the first domain in the forest. A domain controller that holds a copy of the global catalog is called a global catalog server. You can designate any domain controller in the forest as a global catalog server. Active Directory uses multimaster replication to replicate the global catalog information between global catalog servers in other domains. It stores a full replica of all object attributes in the directory for its host domain and a partial replica of all object attributes contained in the directory for every domain in the forest. The partial replica stores attributes most frequently used in search operations (such as a user’s first and last names, logon name, and so on). Attributes are marked or unmarked for replication in the global catalog when they are defined in the Active Directory schema. Object attributes replicated to the global catalog inherit the same permissions as in source domains, ensuring that data in the global catalog is secure.

Another Definition of Global Catalog:

Global Catalog Server

A global catalog server is a domain controller that has an additional duty—it maintains a global catalog. A global catalog is a master, searchable database that contains information about every object in every domain in a forest. The global catalog contains a complete replica of all objects in Active Directory for its host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest.

• A global catalog server performs two important functions:
• Provides group membership information during logon and authentication
• Helps users locate resources in Active Directory

Q. What is schema?

The Active Directory schema defines objects that can be stored in Active Directory. The schema is a list of definitions that determines the kinds of objects and the types of information about those objects that can be stored in Active Directory. Because the schema definitions themselves are stored as objects, they can be administered in the same manner as the rest of the objects in Active Directory. The schema is defined by two types of objects: schema class objects (also referred to as schema classes) and schema attribute objects (also referred to as schema attributes).

Q. GC and infrastructure master should not be on same server, why?

Unless your domain consists of only one domain controller, the infrastructure master should not be assigned to a domain controller that’s also a Global Catalog server. If the infrastructure master and Global Catalog are stored on the same domain controller, the infrastructure master will not function because it will never find data that is out of date. It therefore won’t ever replicate changes to the other domain controllers in the domain. There are two exceptions:

• If all your domain controllers are Global Catalog servers, it won’t matter because all servers will have the latest changes to the Global Catalog.
• If you are implementing a single Active Directory domain, no other domains exist in the forest to keep track of, so in effect, the infrastructure master is out of a job

Q. Why not make all DCs in a large forest as GCs?

When all the DC become a GC replication traffic will get increased and we could not keep the Infrastructure master and GC on the same domain ,so atlease one dc should be act without holding the GC role .

Q. Trying to look at the Schema, how can I do that?

Register the schmmgmt.dll with the command regsvr32

Q. What are the Support Tools? Why do I need them?

Support Tools are the tools that are used for performing the complicated tasks easily. These can also be the third party tools. Some of the Support tools include DebugViewer, DependencyViewer, RegistryMonitor, etc.

Q. What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?

LDP – Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network.

Replmon – Replmon displays information about Active Directory Replication.

ADSIEDIT – ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.MSC

NETDOM – NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels.

REPADMIN – REPADMIN is a built-in Windows diagnostic command-line utility that works at the Active Directory level. Although specific to Windows, it is also useful for diagnosing some Exchange replication problems, since Exchange Server is Active Directory based. REPADMIN doesn’t actually fix replication problems for you. But, you can use it to help determine the source of a malfunction.

Q. What are the Naming Conventions used in AD?

Within Active Directory, each object has a name. When you create an object in Active Directory, such as a user or a computer, you assign the object a name. This name must be unique within the domain—you can’t assign an object the same name as any other object (regardless of its type) in that domain.

At the same time that you create an object, not only do you assign a name to the object, but Active Directory also assigns identifiers to the object. Active Directory assigns every object a globally unique identifier (GUID), and assigns many objects a security identifier (SID). A GUID is typically a 32-digit hexadecimal number that uniquely identifies an object within Active Directory. A SID is a unique number created by the Windows 2000 Security subsystem that is assigned only to security principal objects (users, groups, and computers) when they are created.Windows 2000 uses SIDs to grant or deny a security principal object access to other objects and network resources.

Active Directory uses a hierarchical naming convention that is based on Lightweight Directory Access Protocol (LDAP) and DNS standards.

Objects in Active Directory can be referenced by using one of three Active Directory name types:

• Relative distinguished name (RDN)
• Distinguished name (DN)
• User principal name (UPN)

A relative distinguished name (RDN) is the name that is assigned to the object by the administrator when the object is created. For example, when

I create a user named AlanC, the RDN of that user is AlanC. The RDN only identifies an object—it doesn’t identify the object’s location within Active Directory. The RDN is the simplest of the three Active Directory name types, and is sometimes called the common name of the object.

A distinguished name (DN) consists of an object’s RDN, plus the object’s location in Active Directory. The DN supplies the complete path to the object. An object’s DN includes its RDN, the name of the organizational unit(s) that contains the object (if any), and the FQDN of the domain. For example, suppose that I create a user named AlanC in an organizational unit called US in a domain named Exportsinc.com. The DN of this user would be:AlanC@US.Exportsinc.com

A user principal name (UPN) is a shortened version of the DN that is typically used for logon and e-mail purposes. A UPN consists of the RDN plus the FQDN of the domain. Using my previous example, the UPN for the user named AlanC would be: AlanC@Exportsinc.com

Another way you can think of a UPN is as a DN stripped of all organizational unit references.

Q. What are sites? What are they used for?

A site consists of one or more TCP/IP subnets, which are specified by an administrator. Additionally, if a site contains more than one subnet, the subnets should be connected by high-speed, reliable links. Sites do not correspond to domains:You can have two or more sites within a single domain, or you can have multiple domains in a single site.A site is solely a grouping based on IP addresses. Figure 2-7 shows two sites connected by a slow WAN link.

The purpose of sites is to enable servers that regularly copy data to other servers (such as Active Directory replication data) to distinguish between servers in their own site (which are connected by high-speed links) and servers in another site (which are connected by slower-speed WAN links). Replication between domain controllers in the same site is fast, and typically administrators can permit Windows 2000 to automatically perform this task. Replication between a domain controller in one site and domain controllers in other sites is slower (because it takes place over a slow WAN link) and often should be scheduled by the administrator so that use of network bandwidth for replication is minimized during the network’s peak-activity hours.

Sites and Active Directory replication can be configured by using Active Directory Sites and Services.

Uses of site:

Sites are primarily used to control replication traffic. Domain controllers within a site are pretty much free to replicate changes to the Active Directory database whenever changes are made. Domain controllers in different sites compress the replication traffic and operate based on a defined schedule, both of which are intended to cut down on network traffic.

More specifically, sites are used to control the following:

• Workstation logon traffic
• Replication traffic
• Distributed File System (DFS)

What’s the difference between a site link’s schedule and interval?

Site Link is a physical connection object on which the replication transport mechanism depends on. Basically to speak it is the type of communication mechanism used to transfer the data between different sites. Site Link Schedule is nothing but when the replication process has to be takes place and the interval is nothing but how many times the replication has to be takes place in a give time period i.e Site Link Schedule.

Q. What is replication? How it occurs in AD? What is KCC and ISTG

Each domain controller stores a complete copy of all Active domain controllers in the same domain. Domain controllers in a domain automatically replicate directory information for all objects in the domain to each other. When you perform an action that causes an update to Active Directory, you are actually making the change at one of the domain controllers. That domain controller then replicates the change to all other domain controllers within the domain. You can control replication of traffic between domain controllers in the network by specifying how often replication occurs and the amount of data that each domain controller replicates at one time. Domain controllers immediately replicate certain important updates, such as the disabling of a user account.

Active Directory uses multimaster replication, in which no one domain controller is the master domain controller. Instead, all domain controllers within a domain are peers, and each domain controller contains a copy of the directory database that can be written to. Domain controllers can hold different information for short periods of time until all domain controllers have synchronized changes to Active Directory.

Although Active Directory supports multimaster replication, some changes are impractical to perform in multimaster fashion. One or more domain controllers can be assigned to perform single-master replication (operations not permitted to occur at different places in a network at the same time). Operations master roles are special roles assigned to one or more domain controllers in a domain to perform single-master replication.

Domain controllers detect collisions, which can occur when an attribute is modified on a domain controller before a change to the same attribute on another domain controller is completely propagated. Collisions are detected by comparing each attribute’s property version number, a number specific to an attribute that is initialized upon creation of the attribute. Active Directory resolves the collision by replicating the changed attribute with the higher property version number.

Q. What can you do to promote a server to DC if you’re in a remote location with slow WAN link?

Install from Media In Windows Server 2003 a new feature has been added, and this time it’s one that will actually make our lives easier… You can promote a domain controller using files backed up from a source domain controller!!!

This feature is called “Install from Media” and it’s available by running DCPROMO with the /adv switch. It’s not a replacement for network replication, we still need network connectivity, but now we can use an old System State copy from another Windows Server 2003, copy it to our future DC, and have the first and basic replication take place from the media, instead of across the network, this saving valuable time and network resources.

What you basically have to do is to back up the systems data of an existing domain controller, restore that backup to your replica candidate, use DCPromo /Adv to tell it to source from local media, rather than a network source.

This also works for global catalogs. If we perform a backup of a global catalog server, then we can create a new global catalog server by performing DCPromo from that restored media.

IFM Limitations

It only works for the same domain, so you cannot back up a domain controller in domain A and create a new domain B using that media.

It’s only useful up to the tombstone lifetime with a default of 60 days. So if you have an old backup, then you cannot create a new domain controller using that, because you’ll run into the problem of reanimating deleted objects.

Q. How can you forcibly remove AD from a server, and what do you do later?

Demoting Windows Server 2003 DCs: DCPROMO (Active Directory Installation Wizard) is a toggle switch, which allows you to either install or remove Active Directory DCs. To forcibly demote a Windows Server 2003 DC, run the following command either at the Start, Run, or at the command prompt:

dcpromo /forceremoval

Note: If you’re running Certificate Services on the DC, you must first remove Certificate Services before continuing. If you specify the /forceremoval switch on a server that doesn’t have Active Directory installed, the switch is ignored and the wizard pretends that you want to install Active Directory on that server.

Once the wizard starts, you will be prompted for the Administrator password that you want to assign to the local administrator in the SAM database. If you have Windows Server 2003 Service Pack 1 installed on the DC, you’ll benefit from a few enhancements. The wizard will automatically run certain checks and will prompt you to take appropriate actions. For example, if the DC is a Global Catalog server or a DNS server, you will be prompted. You will also be prompted to take an action if your DC is hosting any of the operations master roles.

Demoting Windows 2000 DCs: On a Windows 2000 domain controller, forced demotion is supported with Service Pack 2 and later. The rest of the procedure is similar to the procedure I described for Windows Server 2003. Just make sure that while running the wizard, you clear the “This server is the last domain controller in the domain” check box. On Windows 2000 Servers you won’t benefit from the enhancements in Windows Server 2003 SP1, so if the DC you are demoting is a Global Catalog server, you may have to manually promote some other DC to a Global Catalog server.

Cleaning the Metadata on a Surviving DC : Once you’ve successfully demoted the DC, your job is not quite done yet. Now you must clean up the Active Directory metadata. You may be wondering why I need to clean the metadata manually. The metadata for the demoted DC is not deleted from the surviving DCs because you forced the demotion. When you force a demotion, Active Directory basically ignores other DCs and does its own thing. Because the other DCs are not aware that you removed the demoted DC from the domain, the references to the demoted DC need to be removed from the domain.

Although Active Directory has made numerous improvements over the years, one of the biggest criticisms of Active Directory is that it doesn’t clean up the mess very well. This is obvious in most cases but, in other cases, you won’t know it unless you start digging deep into Active Directory database.

To clean up the metadata you use NTDSUTIL. The following procedure describes how to clean up metadata on a Windows Server 2003 SP1. According to Microsoft, the version of NTDSUTIL in SP1 has been enhanced considerably and does a much better job of clean-up, which obviously means that the earlier versions didn’t do a very good job. For Windows 2000 DCs, you might want to check out Microsoft Knowledge Base article 216498, “How to remove data in Active Directory after an unsuccessful domain controller demotion.”

Here’s the step-by-step procedure for cleaning metadata on Windows Server 2003 DCs:

1. Logon to the DC as a Domain Administrator.
2. At the command prompt, type ntdsutil.
3. Type metadata cleanup.
4. Type connections.
5. Type connect to server servername, where servername is the name of the server you want to connect to.
6. Type quit or q to go one level up. You should be at the Metadata Cleanup prompt.
7. Type select operation target.
8. Type list domains. You will see a list of domains in the forest, each with a different number.
9. Type select domain number, where number is the number associated with the domain of your server
10. Type list sites.
11. Type select site number, where number is the number associated with the site of your server.
12. Type list servers in site.
13. Type select server number, where number is the number associated with the server you want to remove.
14. Type quit to go to Metadata Cleanup prompt.
15. Type remove selected server. You should see a confirmation that the removal completed successfully.
16. Type quit to exit ntdsutil.

You might also want to cleanup DNS database by deleting all DNS records related to the server.

In general, you will have better luck using forced promotion on Windows Server 2003, because the naming contexts and other objects don’t get cleaned as quickly on Windows 2000 Global Catalog servers, especially servers running Windows 2000 SP3 or earlier. Due to the nature of forced demotion and the fact that it’s meant to be used only as a last resort, there are additional things that you should know about forced demotion.

Even after you’ve used NTDSUTIL to clean the metadata, you may still need to do additional cleaning manually using ADSIEdit or other such tools

Q. Can I get user passwords from the AD database?

As of my Knowledge there is no way to extract the password from AD Database. By the way there is a tool calledcache dump. Using it we can extract the cached passwords from Windows XP machine which is joined to a Domain.

Q. Name some OU design considerations.

• Design OU structure based on Active Directory business requirements
• NT Resource domains may fold up into OUs
• Create nested OUs to hide objects
• Objects easily moved between OUs
• Departments , Geographic Region, Job Function, Object Type

Q. What is tombstone lifetime attribute?

The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NC.

Q. How would you find all users that have not logged on since last month?

If you are using windows 2003 domain environment, then goto Active Directory Users and Computers, select the Saved Queries, right click it and select new query, then using the custom common queries and define query there is one which shows days since last logon

Q. What are the DS* commands?

• DSmod – modifyActiveDirectoryattributes
• DSrm – to delete Active Directory objects
• DSmove – to relocate objects
• DSadd – createnewaccounts
• DSquery– tofindobjectsthatmatchyourqueryattributes
• DSget– listthepropertiesofanobject

What’s the difference between LDIFDE and CSVDE? Usage considerations?

CSVDE is a command that can be used to import and export objects to and from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file is a file easily readable in Excel. I will not go to length into this powerful command, but I will show you some basic samples of how to import a large number of users into your AD. Of course, as with the DSADD command, CSVDE can do more than just import users. Consult your help file for more info. Like CSVDE, LDIFDE is a command that can be used to import and export objects to and from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange Format) file is a file easily readable in any text editor; however it is not readable in programs like Excel. The major difference between CSVDE and LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit and delete existing AD objects (not just users), while CSVDE can only import and export objects

What is DFS?

The Distributed File System is used to build a hierarchical view of multiple file servers and shares on the network. Instead of having to think of a specific machine name for each set of files, the user will only have to remember one name; which will be the ‘key’ to a list of shares found on multiple servers on the network. Think of it as the home of all file shares with links that point to one or more servers that actually host those shares.

DFS has the capability of routing a client to the closest available file server by using Active Directory site metrics. It can also be installed on a cluster for even better performance and reliability.

It is important to understand the new concepts that are part of DFS. Below is an definition of each of them.

Dfs root: You can think of this as a share that is visible on the network, and in this share you can have additional files and folders.

Dfs link: A link is another share somewhere on the network that goes under the root. When a user opens this link they will be redirected to a shared folder.

Dfs target (or replica): This can be referred to as either a root or a link. If you have two identical shares, normally stored on different servers, you can group them together as Dfs Targets under the same link.
The image below shows the actual folder structure of what the user sees when using DFS and load balancing.

The actual folder structure of DFS and load balancing

Q. What are the types of replication in DFS?

There are two types of replication:

• Automatic – which is only available for Domain DFS
• Manual – which is available for stand alone, DFS and requires all files to be replicated manually.

Q. Which service is responsible for replicating files in SYSVOL folder?

File Replication Service (FRS)

1. 3. What is Active Directory? Active Directory is a Meta Data. Active Directory is a data base which stores a data base like your user information, computer information and also other network object info. It has capabilities to manage and administer the complete Network which connect with AD. Interview questions and answers – free pdf download Page 3 of 30
2. 4. What Can You Do for Us That Other Candidates Can't? What makes you unique? This will take an assessment of your experiences, skills and traits. Summarize concisely: "I have a unique combination of strong technical skills, and the ability to build strong customer relationships. This allows me to use my knowledge and break down information to be more user-friendly." Interview questions and answers – free pdf download Page 4 of 30
3. 5. What is LDAP? Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2. Interview questions and answers – free pdf download Page 5 of 30
4. 6. How do I determine if user accounts have local administrative access? You can use the net local group administrators command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong. Interview questions and answers – free pdf download Page 6 of 30
5. 7. Why am I having trouble printing with XP domain users? In most cases, the inability to print or access resources in situations like this one will boil down to an issue with name resolution, either DNS or WINS/NetBIOS. Be sure that your Windows XP clients’ wireless connections are configured with the correct DNS and WINS name servers, as well as with the appropriate NetBIOS over TCP/IP settings. Compare your wireless settings to your wired LAN settings and look for any discrepancies that may indicate where the functional difference may lie. Interview questions and answers – free pdf download Page 7 of 30
6. 8. What is the ISTG? Who has that role by default? Windows 2000 Domain controllers each create Active Directory Replication connection objects representing inbound replication from intra-site replication partners. For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG). Interview questions and answers – free pdf download Page 8 of 30
7. 9. What is LSDOU, LDP? Its group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units. LDP: Label Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic engineering is not required. It establishes LSPs that follow the existing IP routing, and is particularly well suited for establishing a full mesh of LSPs between all of the routers on the network. Interview questions and answers – free pdf download Page 9 of 30
8. 10. What are the Groups types available in active directory ? Security groups: Use Security groups for granting permissions to gain access to resources. Sending an e-mail message to a group sends the message to all members of the group. Therefore security groups share the capabilities of distribution groups. Distribution groups: Distribution groups are used for sending e-main messages to groups of users. You cannot grant permissions to security groups. Even though security groups have all the capabilities of distribution groups, distribution groups still requires, because some applications can only read distribution groups. Interview questions and answers – free pdf download Page 10 of 30
9. 11. What is REPLMON? The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication. Interview questions and answers – free pdf download Page 11 of 30
10. 12. What is ADSIEDIT ? ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT. Interview questions and answers – free pdf download Page 12 of 30
11. 13. What is REPADMIN? This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers.Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors. Interview questions and answers – free pdf download Page 13 of 30
12. 14. What are the requirements for installing AD on a new server? An NTFS partition with enough free space. An Administrator’s username and password. The correct operating system version. A NIC Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway). A network connection (to a hub or to another computer via a crossover cable) . An operational DNS server (which can be installed on the DC itself) . A Domain name that you want to use . The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder) . Interview questions and answers – free pdf download Page 14 of 30
13. 15. How to take backup of AD ? For taking backup of active directory you have to do this : first go START -> PROGRAM ->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and take systemstate backup when the backup screen is flash then take the backup of SYSTEM STATE it will take the backup of all the necessary information about the syatem including AD backup , DNS ETC. Interview questions and answers – free pdf download Page 15 of 30
14. 16. What are application partitions? When do I use them ? AN application diretcory partition is a directory partition that is replicated only to specific domain controller.Only domain controller running windows Server 2003 can host a replica of application directory partition. Using an application directory partition provides redundany,availability or fault tolerance by replicating data to specific domain controller pr any set of domain controllers anywhere in the forest. Interview questions and answers – free pdf download Page 16 of 30
15. 17. How do I use Registry keys to remove a user from a group? In Windows Server 2003, you can use the dsmod command-line utility with the -delmbr switch to remove a group member from the command line. You should also look into the freeware utilities available from www.joeware.net . ADFind and ADMod are indispensable tools in my arsenal when it comes to searching and modifying Active Directory. Interview questions and answers – free pdf download Page 17 of 30
16. 18. Different modes of AD restore ? A nonauthoritative restore is the default method for restoring Active Directory. To perform a nonauthoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller. An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. If you do not want to replicate the changes that have been made subsequent to the last backup operation, you must perform an authoritative restore. In this one needs to stop the inbound replication first before performing the An authoritative restore. Interview questions and answers – free pdf download Page 18 of 30
17. 19. What’s the difference between transferring a FSMO role and seizing ? Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available. If you perform a seizure of the FSMO roles from a DC, you need to ensure two things: the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If you do an FSMO role Seize and then bring the previous holder back online, you’ll have a problem. An FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to another live DC During the process, the current DC holding the role(s) is updated, so it becomes aware it is no longer the role holder Interview questions and answers – free pdf download Page 19 of 30
18. 20. What is sites ? What are they used for ? One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network. A Site object in Active Directory represents a physical geographic location that hosts networks. Sites contain objects called Subnets. Sites can be used to Assign Group Policy Objects, facilitate the discovery of resources, manage active directory replication, and manage network link traffic. Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents the speed, reliability, availability, or other real property of a physical resource. Site Links may also be assigned a schedule. Interview questions and answers – free pdf download Page 20 of 30
19. 21. Explain Active Directory Schema ? Windows 2000 and Windows Server 2003 Active Directory uses a database set of rules called “Schema”. The Schema is defines as the formal definition of all object classes, and the attributes that make up those object classes, that can be stored in the directory. As mentioned earlier, the Active Directory database includes a default Schema, which defines many object classes, such as users, groups, computers, domains, organizational units, and so on. These objects are also known as “Classes”. The Active Directory Schema can be dynamically extensible, meaning that you can modify the schema by defining new object types and their attributes and by defining new attributes for existing objects. You can do this either with the Schema Manager snap-in tool included with Windows 2000/2003 Server, or Interview questions and answers – free pdf download Page 21 of 30
20. 22. programmatically. Useful job interview materials: If you need top free ebooks below for your job interview, please visit: 4career.net • Free ebook: 75 interview questions and answers • Top 12 secrets to win every job interviews • Top 36 situational interview questions • 440 behavioral interview questions • 95 management interview questions and answers • 30 phone interview questions • Top 8 interview thank you letter samples • 290 competency based interview questions • 45 internship interview questions • Top 7 cover letter samples • Top 8 resume samples • Top 15 ways to search new jobs Interview questions and answers – free pdf download Page 22 of 30
21. 23. Top 6 tips for job interview Interview questions and answers – free pdf download Page 23 of 30
22. 24. Tip 1: Do your homework You'll likely be asked difficult questions during the interview. Preparing the list of likely questions in advance will help you easily transition from question to question. Spend time researching the company. Look at its site to understand its mission statement, product offerings, and management team. A few hours spent researching before your interview can impress the hiring manager greatly. Read the company's annual report (often posted on the site), review the employee's LinkedIn profiles, and search the company on Google News, to see if they've been mentioned in the media lately. The more you know about a company, the more you'll know how you'll fit in to it. Ref material: 4career.net/job-interview-checklist- 40-points Interview questions and answers – free pdf download Page 24 of 30
23. 25. Tip 2: First impressions When meeting someone for the first time, we instantaneously make our minds about various aspects of their personality. Prepare and plan that first impression long before you walk in the door. Continue that excellent impression in the days following, and that job could be yours. Therefore: · Never arrive late. · Use positive body language and turn on your charm right from the start. · Switch off your mobile before you step into the room. · Look fabulous; dress sharp and make sure you look your best. · Start the interview with a handshake; give a nice firm press and then some up and down movement. · Determine to establish a rapport with the interviewer right from the start. · Always let the interviewer finish speaking before giving your response. · Express yourself fluently with clarity and precision. Interview questions and answers – free pdf download Page 25 of 30
24. 26. Useful material: 4career.net/top-10-elements-to-make-a-good- first-impression-at-a-job-interview Tip 3: The “Hidden” Job Market Many of us don’t recognize that hidden job market is a huge one and accounts for 2/3 of total job demand from enterprises. This means that if you know how to exploit a hidden job market, you can increase your chance of getting the job up to 300%. In this section, the author shares his experience and useful tips to exploit hidden job market. Here are some sources to get penetrating into a hidden job market: Friends; Family; Ex-coworkers; Referral; HR communities; Field communities; Social networks such as Facebook, Twitter…; Last recruitment ads from recruiters; HR emails of potential recruiters… Interview questions and answers – free pdf download Page 26 of 30
25. 27. Tip 4: Do-It-Yourself Interviewing Practice There are a number of ways to prepare for an interview at home without the help of a professional career counselor or coach or a fee-based service. You can practice interviews all by yourself or recruit friends and family to assist you. Useful material: 4career.net/free-ebook- 75-interview-questions-and-answers Interview questions and answers – free pdf download Page 27 of 30
26. 28. Tip 5: Ask questions Do not leave the interview without ensuring that you know all that you want to know about the position. Once the interview is over, your chance to have important questions answered has ended. Asking questions also can show that you are interested in the job. Be specific with your questions. Ask about the company and the industry. Avoid asking personal questions of the interviewer and avoid asking questions pertaining to politics, religion and the like. Ref material: 4career.net/25-questions-to- ask-employers-during-your-job-interview Interview questions and answers – free pdf download Page 28 of 30
27. 29. Tip 6: Follow up and send a thank-you note Following up after an interview can help you make a lasting impression and set you apart from the crowd. Philip Farina, CPP, a security career expert at Manta Security Management Recruiters, says: "Send both an email as well as a hard-copy thank-you note, expressing excitement, qualifications and further interest in the position. Invite the hiring manager to contact you for additional information. This is also an excellent time to send a strategic follow-up letter of interest." Ref material: 4career.net/top-8- interview-thank-you-letter-samples Interview questions and answers – free pdf download Page 29 of 30

What is Global Catalog and its function?

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest.

• Forest-wide searches. The global catalog provides a resource for searching an AD DS forest. Forest-wide searches are identified by the LDAP port that they use. If the search query uses port 3268, the query is sent to a global catalog server.

• User logon. In a forest that has more than one domain, two conditions require the global catalog during user authentication: Universal Group Membership Caching: In a forest that has more than one domain, in sites that have domain users but no global catalog server, Universal Group Membership Caching can be used to enable caching of logon credentials so that the global catalog does not have to be contacted for subsequent user logons. This feature eliminates the need to retrieve universal group memberships across a WAN link from a global catalog server in a different site.
  • In a domain that operates at the Windows 2000 native domain functional level or higher, domain controllers must request universal group membership enumeration from a global catalog server.
  • When a user principal name (UPN) is used at logon and the forest has more than one domain, a global catalog server is required to resolve the name.

• Exchange Address Book lookups. Servers running Microsoft Exchange Server rely on access to the global catalog for address information. Users use global catalog servers to access the global address list (GAL).

What are the components of Logical AD?

The logical parts of Active Directory include forests, trees, domains, OUs and global catalogs.

Domain –It is still a logical group of users and computers that share the characteristics of centralized security and administration. A domain is still a boundary for security – this means that an administrator of a domain is an administrator for only that domain, and no others, by default.

Tree – a tree is a collection of Active Directory domains that share a contiguous namespace.

Forest – a forest is the largest unit in Active Directory and is a collection of trees that share a common Schema. In a forest all trees are connected by transitive two-way trust relationships, thus allowing users in any tree access to resources in another for which they have been given appropriate permissions and rights. By default the first domain created in a forest is referred to as the root domain.

What are the different Partition in AD and explain all?

The Active Directory database is logically separated into directory partitions:

• Schema partition
• Configuration partition
• Domain partition
• Application partition

Each partition is a unit of replication, and each partition has its own replication topology. Replication occurs between replicas of directory partition. Minimum two directory partitions are common among all domain controllers in the same forest: the schema and configuration partitions. All domain controllers which are in the same domain, in addition, share a common domain partition.

Schema Partition

Only one schema partition exists per forest. The schema partition is stored on all domain controllers in a forest. The schema partition contains definitions of all objects and attributes that you can create in the directory, and the rules for creating and manipulating them. Schema information is replicated to all domain controllers in the attribute definitions.

Configuration Partition

There is only one configuration partition per forest. Second on all domain controllers in a forest, the configuration partition contains information about the forest-wide active directory structure including what domains and sites exist, which domain controllers exist in each forest, and which services are available. Configuration information is replicated to all domain controllers in a forest.

Domain Partition

Many domain partitions can exist per forest. Domain partitions are stored on each domain controller in a given domain. A domain partition contains information about users, groups, computers and organizational units. The domain partition is replicated to all domain controllers of that domain. All objects in every domain partition in a forest are stored in the global catalog with only a subset of their attribute values.

Application Partition

Application partitions store information about application in Active Directory. Each application determines how it stores, categorizes, and uses application specific information. To prevent unnecessary replication to specific application partitions, you can designate which domain controllers in a forest host specific application partitions. Unlike a domain partitions, an application partition cannot store security principal objects, such as user accounts. In addition, the data in an application partition is not stored in the global catalog.

As an example of application partition, if you use a Domain Name System (DNS) that is integrated with Active Directory you have two application partitions for DNS zones — ForestDNSZones and DomainDNSZones:

• ForestDNSZones is part of a forest. All domain controllers and DNS servers in a forest receive a replica of this partition. A forest-wide application partition stores the forest zone data.
• DomainDNSZones is unique for each domain. All domain controllers that are DNS servers in that domain receive a replica of this partition. The application partitions store the domain DNS zone in the DomainDNSZones<domain name>.

Each domain has a DomainDNSZones partition, but there is only one ForestDNSZones partition. No DNS data is replicated to the global catalog server.

Different types of Disk partition?

How many types of RAID and explain any 3 advantage and disadvantage?

http://yourcomputer.in/what-is-raid-configuration-in-windows/

RAID Levels and Types 
RAID, an acronym of Redundant Array of Independent (Inexpensive) Disks is the talk of the day. These are an array of disk to give more power, performance, fault tolerance and accessibility to the data, as a single storage system. It’s not mere combination of disks but all the disks are combined providing standard MTBF (mean time before failure) reliability scheme; otherwise chances are performance would be affected drastically if disks are not combined as a single storage unit.
RAID Levels

All the RAID types and models are commonly classified as RAID levels, since RAID represented by a higher number is regarded to be superior, more efficient, high-performance array than the low numbered RAID. Hence, high security feature of RAID also depends on the RAID level you are using. RAID arrays, not only, provide the users with maximum security and reliability but also make sure that if a disk fails no data is lost. The in-depth knowledge about RAID levels would help you through buying of RAID servers.Let’s briefly discuss here the main RAID levels and classes:

RAID 0 – Striping: 
It is the Stripped Disk Array with no fault tolerance and it requires at least 2 drives to be implemented. Due to no redundancy feature, RAID 0 is considered to be the lowest ranked RAID level. Striped data mapping technique is implemented for high performance at low cost. The I/O performance is also improved as it is loaded across many channels. Regeneration, Rebuilding and functional redundancy are some salient features of RAID 0.
RAID 1 – Mirroring: 
It is the Mirroring (Shadowing) Array meant to provide high performance. RAID 1 controller is able to perform 2 separate parallel reads or writes per mirrored pair. It also requires at least 2 drives to implement a non-redundant disk array. High level of availability, access and reliability can be achieved by entry-level RAID 1 array. With full redundancy feature available, need of readability is almost negligible. Controller configurations and storage subsystem design is the easiest and simplest amongst all RAID levels.
RAID 0+1: 
It is the RAID array providing high data transference performance with at least 4 disks needed to implement the RAID 0+1 level. It’s a unique combination of stripping and mirroring with all the best features of RAID 0 and RAID 1 included such as fast data access and fault tolerance at single drive level. The multiple stripe segments have added high I/O rates to the RAID performance and it is the best solution for maximum reliability.
RAID 2 (ECC): 
It is the combination of Inherently Parallel Mapping and Protection RAID array. It’s also known as ECC RAID because each data word bit is written to data disk which is verified for correct data or correct disk error when the RAID disk is read. Due to special disk features required, RAID 2 is not very popular among the corporate data storage masses, despite the extremely high data transference rates.
RAID 3: 
RAID 3 works on the Parallel Transfer with Parity technique. The least number of disks required to implement the RAID array is 3 disks. In the RAID 3, data blocks are striped and written on data drives and then the stripe parity is generated, saved and afterwards used to verify the disk reads. Read and write data transfer rate is very high in RAID 3 array and disk failure causes insignificant effects on the overall performance of the RAID.
RAID 4: 
RAID 4 requires a minimum of 3 drives to be implemented. It is composed of independent disks with shared parity to protect the data. Data transaction rate for Read is exceptionally high and highly aggregated. Similarly, the low ratio of parity disks to data disks indicates high efficiency.
RAID 5: 
RAIDS 5 is Independent Distributed parity block of data disks with a minimum requirement of at least 3 drives to be implemented and N-1 array capacity. It helps in reducing the write inherence found in RAID 4. RAID 5 array offers highest data transaction Read rate, medium data transaction Write rate and good cumulative transfer rate.
RAID 6: 
RAIDS 6 is Independent Data Disk array with Independent Distributed parity. It is known to be an extension of RAID level 5 with extra fault tolerance and distributed parity scheme added. RAID 6 is the best available RAID array for mission critical applications and data storage needs, though the controller design is very complex and overheads are extremely high.
RAID 7: 
RAID 7 is the Optimized Asynchrony array for high I/O and data transfer rates and is considered to be the most manageable RAID controller available. The overall write performance is also known to be 50% to 90% better and improved than the single spindle array levels with no extra data transference required for parity handling. RAID 7 is registered as a standard trademark of Storage Computer Corporation.
RAID 10: 
RAID 10 is classified as the futuristic RAID controller with extremely high Reliability and performance embedded in a single RAID controller. The minimum requirement to form a RAID level 10 controller is 4 data disks. The implementation of RAID 10 is based on a striped array of RAID 1 array segments, with almost the same fault tolerance level as RAID 1. RAID 10 controllers and arrays are suitable for uncompromising availability and extremely high throughput required systems and environment.

With all the significant RAID levels discussed here briefly, another important point to add is that whichever level of RAID is used regular and consistent data backup maintenance using tape storage is must as the regular tape storage is best media to recover from lost data scene.

What is FSMO Roles?

Click here to know about FSMO in detail

How to find which server hold which role?

Netdom query FSMO

How we can replication monitoring?

The Active Directory Replication Monitor, replmon.exe, is part of the Windows 2000 Support Utilities available on the Windows 2000 Server CD in the \SUPPORT\TOOLS folder. Primary uses of replmon :

• Check for replication errors
• Run the KCC Knowledge Consistency Checker to check replication topology
• Synchronize each directory partition with all servers
• Generate status reports on replication info on servers
• List domain controllers
• Check Group Policy Object status
• Choose performance counters to be monitored
• List server hosting Global Catalog
• List bridgehead servers
• Display trust relationships List AD meta-data info

How we can diagnosis any issue related to ad replication?

What is intersite and Intra site replication explain?

http://technet.microsoft.com/en-us/library/cc755994(WS.10).aspx

What is Authoritative and Non authorities restoration?

Active Directory is backed up as part of system state, a collection of system components that depend on each other. You must back up and restore system state components together.

Components that comprise the system state on a domain controller include:

• System Start-up Files (boot files). These are the files required for Windows 2000 Server to start.
• System registry.
• Class registration database of Component Services. The Component Object Model (COM) is a binary standard for writing component software in a distributed systems environment.
• SYSVOL. The system volume provides a default Active Directory location for files that must be shared for common access throughout a domain. The SYSVOL folder on a domain controller contains:
  • NETLOGON shared folders. These usually host user logon scripts and Group Policy objects (GPOs) for non-Windows 2000based network clients.
  • User logon scripts for Windows 2000 Professionalbased clients and clients that are running Windows 95, Windows 98, or Windows NT 4.0.
  • Windows 2000 GPOs.
  • File system junctions.
  • File Replication service (FRS) staging directories and files that are required to be available and synchronized between domain controllers.
• Active Directory. Active Directory includes:
  • Ntds.dit: The Active Directory database.
  • Edb.chk: The checkpoint file.
  • Edb*.log: The transaction logs, each 10 megabytes (MB) in size.
  • Res1.log and Res2.log: Reserved transaction logs.

Note: If you use Active Directory-integrated DNS, then the zone data is backed up as part of the Active Directory database. If you do not use Active Directory-integrated DNS, you must explicitly back up the zone files. However, if you back up the system disk along with the system state, zone data is backed up as part of the system disk.If you installed Windows Clustering or Certificate Services on your domain controller, they are also backed up as part of system state.

Non-authoritative restore of Active Directory

A non-authoritative restore returns the domain controller to its state at the time of backup, then allows normal replication to overwrite that state with any changes that have occurred after the backup was taken. After you restore the system state, the domain controller queries its replication partners. The replication partners replicate any changes to the restored domain controller, ensuring that the domain controller has an accurate and updated copy of the Active Directory database.

Non-authoritative restore is the default method for restoring Active Directory, and you will use it in most situations that result from Active Directory data loss or corruption. To perform a non-authoritative restore, you must be able to start the domain controller in Directory Services Restore Mode.

Non-authoritative restore of SYSVOL

When you non-authoritatively restore the SYSVOL, the local copy of SYSVOL on the restored domain controller is compared with that of its replication partners. After the domain controller restarts, it contacts its replication partners, compares SYSVOL information, and replicate the any necessary changes, bringing it up-to-date with the other domain controllers within the domain.

Perform a non-authoritative restore of SYSVOL if at least one other functioning domain controller exists in the domain. This is the default method for restoring SYSVOL and occurs automatically if you perform a non-authoritative restore of the Active Directory.

If no other functioning domain controller exists in the domain, then perform a primary restore of the SYSVOL. A primary restore builds a new File Replication service (FRS) database by loading the data present under SYSVOL on the local domain controller. This method is the same as a non-authoritative restore, except that the SYSVOL is marked primary.

Authoritative restore of Active Directory

An authoritative restore is an extension of the non-authoritative restore process. You must perform the steps of a non-authoritative restore before you can perform an authoritative restore. The main difference is that an authoritative restore has the ability to increment the version number of the attributes of all objects in an entire directory, all objects in a subtree, or an individual object (provided that it is a leaf object) to make it authoritative in the directory. Restore the smallest unit necessary, for example, do not restore the entire directory in order to restore a single subtree.

As with a non-authoritative restore, after a domain controller is back online, it will contact its replication partners to determine any changes since the time of the last backup. However, because the version number of the object attributes that you want to be authoritative will be higher than the existing version numbers of the attribute held on replication partners, the object on the restored domain controller will appear to be more recent and therefore will be replicated out to the rest of the domain controllers within the environment.

Unlike a non-authoritative restore, an authoritative restore requires the use of a separate tool, Ntdsutil.exe. No backup utilities— including the Windows 2000 Server system tools— can perform an authoritative restore.

An authoritative restore will not overwrite new objects that have been created after the backup was taken. You can authoritatively restore only objects from the configuration and domain-naming contexts. Authoritative restores of schema-naming contexts are not supported.

Perform an authoritative restore when human error is involved, such as when an administrator accidentally deletes a number of objects and that change replicates to the other domain controllers and you cannot easily recreate the objects. To perform an authoritative restore, you must start the domain controller in Directory Services Restore Mode.

Authoritative restore of SYSVOL

By authoritatively restoring the SYSVOL, you are specifying that the copy of SYSVOL that is restored from backup is authoritative for the domain. After the necessary configurations have been made, Active Directory marks the local SYSVOL as authoritative and it is replicated to the other domain controllers within the domain.

The authoritative restore of SYSVOL does not occur automatically after an authoritative restore of Active Directory. Additional steps are required.

As with Active Directory authoritative restore, you typically perform an authoritative restore of SYSVOL when human error is involved and the error has replicated to other domain controllers. For example, you might perform an authoritative restore of SYSVOL if an administrator has accidentally deleted an object that resides in SYSVOL, such as a Group Policy object.

http://yourcomputer.in/authoritative-vs-non-authoritative-restoration-of-active-directory

http://technet.microsoft.com/en-us/library/bb727048.aspx

How to restore the AD

http://technet.microsoft.com/en-us/library/bb727048.aspx

What is Tombstone period?

The tombstone lifetime in an Active Directory forest determines how long a deleted object (called a “tombstone”) is retained in Active Directory Domain Services (AD DS). The tombstone lifetime is determined by the value of thetombstoneLifetime attribute on the Directory Service object in the configuration directory partition.

In Microsoft Windows Server 2003 R2, the default tombstone lifetime (TSL) value remains at 60 days.

Note In Windows Server 2003 Service Pack 1, the default TSL value has increased from 60 days to 180 days.

What are Lingering Objects?

Lingering objects can occur if a domain controller does not replicate for an interval of time that is longer than the tombstone lifetime (TSL). The domain controller then reconnects to the replication topology. Objects that are deleted from the Active Directory directory service when the domain controller is offline can remain on the domain controller as lingering objects.

What is the difference between 2003 and 2008?

http://yourcomputer.in/difference-between-windows-2003-and-2008/

2008 is combination of vista and windows 2003r2.Some new services are introduced in it
1. RODC one new domain controller introduced in it

[Read-only Domain controllers.]
2. WDS (windows deployment services) instead of RIS in 2003 server
3. shadow copy for each and every folders
4.boot sequence is changed
5.installation is 32 bit where as 2003 it is 16 as well as 32 bit, that’s why installation of 2008 is faster
6.services are known as role in it
7. Group policy editor is a separate option in ads

2) The main difference between 2003 and 2008 is Virtualization, management.
2008 has more inbuilt components and updated third party drivers Microsoft introduces new feature with 2k8 that is Hyper-V  Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on 64bit versions. More and more companies are seeing this as a way of reducing hardware costs by running several ‘virtual’ servers on one physical machine. If you like this exciting technology, make sure that you buy an edition of Windows Server 2008 that includes Hyper-V, then launch the Server Manger, add Roles.

3) In Windows Server 2008, Microsoft is introducing new features and technologies, some of which were not available in Windows Server 2003 with Service Pack 1 (SP1), that will help to reduce the power consumption of server and client operating systems, minimize environmental byproducts, and increase server efficiency.
Microsoft Windows Server 2008 has been designed with energy efficiency in mind, to provide customers with ready and convenient access to a number of new power-saving features. It includes updated support for Advanced Configuration and Power Interface (ACPI) processor power management (PPM) features, including support for processor performance states (P-states) and processor idle sleep states on multiprocessor systems. These features simplify power management in Windows Server 2008 (WS08) and can be managed easily across servers and clients using Group Policies.

What Is Strict Replication and How Do You Enable?

Strict Replication is a mechanism developed by Microsoft developers for Active Directory Replication. If a domain controller has the Strict Replication enabled then that domain controller will not get “Lingering Objects” from a domain controller which was isolated for more than the TombStone Life Time. TSL is 180 days by default on a Forest created with Windows Server 2003 SP1. A domain controller shouldn’t be outof sync for more than this period. Lingering Objects may appear on other domain controllers if replication happens with the outdated domain controllers. These domain controllers will not replicate with the outdated domain controllers if you have set the below mentioned registry key.You must set the following registry setting on all the domain controllers to enable the Strict Replication:

•   KEY Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
•   Registry Entry: Strict Replication Consistency
•   Value: 1 (enabled), 0 (disabled)
•   Type: REG_DWORD

What are the new feature of Win2008?

How many flavours of Wink2k8?

	Windows Server 2008 Web Edition	Windows Server 2008 Standard Edition	Windows Server 2008 Enterprise Edition	Windows Server 2008 Datacenter Edition
Supersedes	Windows Server 2003 Web Edition	Windows Server 2003 R2 Standard Edition Windows Server 2003 R2 Standard x64 Edition	Windows Server 2003R2 Enterprise Edition Windows Server 2003 R2 Enterprise x64 Edition	Windows Server 2003 R2 Datacenter Edition Windows Server 2003 R2 Datacenter x64 Edition
Hyper-V virtualization technology	Not included	Included1	Included1	Included1
OS instances permitted per server license	One instance (physical or virtual)	One physical instance plus one virtual instance2	One physical instance and up to 4 virtual instances2	Unlimited number of OS instances
Maximum server RAM supported3	32-bit: 4GB 64-bit: 32GB	32-bit: 4GB 64-bit: 32GB	32-bit: 64GB 64-bit: 2TB	32-bit: 64GB 64-bit: 2TB
Maximum number of CPUs	4	4	8	64
Hot swap RAM and CPUs	No	No	No4	Yes
Cluster Service (failover)	No	No	Yes, up to 16 nodes per cluster	Yes, up to 16 nodes per cluster
Terminal Server	No	Yes5	Yes	Yes
Network Access Protection	No	Yes6	Yes	Yes
U.S. estimated retail price7	US$470 per server ( available only without Hyper-V)	US$800 per server (US$772 without Hyper-V)	US$3,000 per server (US$2,972 without Hyper-V)	US$3,000 per processor (US$2,972 per processor without Hyper-V)
CALs or External Connector required8	No	Yes	Yes	Yes

How you find the server hold DHCP?

How to configure the DHCP server?

If user are not getting IP from the DHCP servers what step you take to fix the issue?

What is the process of user getting IP from DHCP Server?

• DORA PROCESS
• DISCOVER:When a client is configured with the ip setting to obtain Ip address automatically. Then the client will search for DHCP server and the UDP Broadcast to the server about the DHCP discover
• OFFER: DHCP Server will offers a scope of ip address available in the pool.
• REQUEST: In response to the offer, the Client will requests for an ip address.
• ACKNOWLEDGE:In response to the request, server will responds with all Ip address, Mask, Gty, Dns and wins info along with the acknowledgment packet.
• DHCP Message Types
• DHCPDISCOVER
  This DHCP message type is used by the DHCP client to discover DHCP servers.
• DHCPOFFER
  This DHCP message type is used by the DHCP server to respond to a received DHCPDISCOVER message and also offers configuration details at that time.
• DHCPREQUEST
  This message comes from a client and to the DHCP server to convey three various messages. The first is to request configuration details from one specific DHCP server and specifically rejecting offers from any other potential DHCP servers. Secondly it can be used for verification of previously used IP address after a system has undergone a reboot. Lastly, it can be used to extend the lease of a specific IP address.

How we can seize roles?

How we can transfers roles from one DC to another?

What is kerbores and its process?

http://technet.microsoft.com/en-us/library/bb742516.aspx

What contain system state backup?

Following system components as System State data:

• Registry
• COM+ class registration database
• Boot files, including the system files
• Certificate services database
• Active Directory
• The system volume

If the workstation is a domain controller, the following components are backed up:

• Active directory (NTDS)
• The system volume (SYSVOL)

If the workstation is a certificate server, then the related data is also backed up. Many security and other disasters can be fixed by restoring System State to a good configuration.

How you can take the backup of DC?

Did you aware of ITIL Process?

Expain the process in ITIL like Incident Managemnt, Change Management and Problem Mgmt?

How you do the pactching?

Did you know SCOM and its configuration?

What is the ticketing tool used?

How to upgrade the O/S?

What are all the different mode of O/S?

Kernel Mode

In Kernel mode, the executing code has complete and unrestricted access to the underlying hardware. It can execute any CPU instruction and reference any memory address. Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system. Crashes in kernel mode are catastrophic; they will halt the entire PC.

User Mode

In User mode, the executing code has no ability to directly access hardware or reference memory. Code running in user mode must delegate to system APIs to access hardware or memory. Due to the protection afforded by this sort of isolation, crashes in user mode are always recoverable. Most of the code running on your computer will execute in user mode.

What are all the files contain AD Database?

Windows 2000 Active Directory data store, the actual database file, is %SystemRoot%\ntds\NTDS.DIT. The ntds.dit file is the heart of Active Directory including user accounts. Active Directory’s database engine is the Extensible Storage Engine ( ESE ) which is based on the Jet database used by Exchange 5.5 and WINS. The ESE has the capability to grow to 16 terabytes which would be large enough for 10 million objects. Back to the real world. Only the Jet database can maniuplate information within the AD datastore.

For information on domain controller configuration to optimize Active Directory, see Optimize Active Directory Disk Performance

The Active Directory ESE database, NTDS.DIT, consists of the following tables:

Schema table
the types of objects that can be created in the Active Directory, relationships between them, and the optional and mandatory attributes on each type of object. This table is fairly static and much smaller than the data table.

Link table
contains linked attributes, which contain values referring to other objects in the Active Directory. Take the MemberOf attribute on a user object. That attribute contains values that reference groups to which the user belongs. This is also far smaller than the data table.

Data table
users, groups, application-specific data, and any other data stored in the Active Directory. The data table can be thought of as having rows where each row represents an instance of an object such as a user, and columns where each column represents an attribute in the schema such as GivenName.

Any idea about virtualization technology?

What is virtual memory?

The purpose of virtual memory is to enlarge the address space, the set of addresses a program can utilize. For example, virtual memory might contain twice as many addresses as main memory. A program using all of virtual memory, therefore, would not be able to fit in main memory all at once. Nevertheless, the computer could execute such a program by copying into main memory those portions of the program needed at any given point during execution.

To facilitate copying virtual memory into real memory, the operating system divides virtual memory into pages, each of which contains a fixed number of addresses. Each page is stored on a disk until it is needed. When the page is needed, the operating system copies it from disk to main memory, translating the virtual addresses into real addresses.

Important port nos like FTP, Talnet, RDP and DNS?

What is heart beat?

What is the difference between NTFS and share permissions? What is VSS?

Are you aware of Volume shadow copy please expaing?

Can we use a Linux DNS Sever in 2000 Domain?

GPMC & RSOP in windows 2003?

How to use recovery console?

How to take DNS and WINS, DHCP backup ? What is the use of terminal services?

And its mode How is Active Directory scalable?

What is multimaster replication?

Multimaster Replication

Active Directory uses multimaster replication to accomplish the synchronization of directory information. True multimaster replication can be contrasted with other directory services that use a master-slave approach to updates wherein all updates must be made to the master copy of the directory and then be replicated to the slave copies. This system is adequate for a directory that has a small number of copies and for an environment where all of the changes can be applied centrally. But this approach does not scale beyond small-sized organizations nor does it address the needs of decentralized organizations. With Active Directory, no one domain controller is the master. Instead, all domain controllers within a domain are equivalent. Changes can be made to any domain controller, unlike a single-master system, where changes must be made to one server. In the single-master system, the primary server replicates the updated information to all other directory servers in the domain.

With multimaster replication, it is not necessary for every domain controller to replicate with every other domain controller. Instead, the system implements a robust set of connections that determines which domain controllers replicate to which other domain controllers to ensure that networks are not overloaded with replication traffic and that replication latency is not so long that it causes inconvenience to users. The set of connections through which changes are replicated to domain controllers in an enterprise is called the replication topology .

Multimaster update capability provides high availability of write access to directory objects because several servers can contain writable copies of an object. Each domain controller in the domain can accept updates independently, without communicating with other domain controllers. The system resolves any conflicts in updates to a specific directory object. If updates cease and replication continues, all copies of an object eventually reach the same value.

The manner in which a directory service stores information directly determines the performance and scalability of the directory service. Directory services must handle a large number of queries compared to the number of updates they must process. A typical ratio of queries to updates is 99:1. By creating multiple copies of the directory and keeping the copies consistent, the directory service can handle more queries per second.

Multimaster replication provides the following advantages over single-master replication:

• If one domain controller becomes inoperable, other domain controllers can continue to update the directory. In single-master replication, if the primary domain controller becomes inoperable, directory updates cannot take place. For example, if the failed server holds your password and your password has expired, you cannot reset your password and therefore you cannot log on to the domain.
• Servers that are capable of making changes to the directory, which in Windows 2000 are domain controllers, can be distributed across the network and can be located in multiple physical sites.

Define each of the following names: DN, RDN, GUID, UPN. What is the primary reason for defining an OU?

What is the difference between a site link and a connection object?

What is the booting process?

1. First is the POST, this stands for Power On Self Test, for the computer. This process tests memory as well as a number of other subsystems. You can usually monitor this as it runs each test. After that is complete the system will run POST for any device that has a BIOS (Basic Input-Output System). An AGP has its own BIOS, as do some network cards and various other devices.
2. Once the POST is complete and the BIOS is sure that everything is working properly, the BIOS will then attempt to read the MBR (Master Boot Record). This is the first sector of the first hard drive (called the Master or HD0). When the MBR takes over it means that Windows is now in control.
3. The MBR looks at the BOOT SECTOR (the first sector of the active partition). That is where NTLDR is located, NTLDR is the BOOT LOADER for Windows XP. NTLDR will allow memory addressing, initiate the file system, read the boot.ini and load the boot menu. NTLDR has to be in the root of the active partition as do NTDETECT.COM, BOOT.INI, BOOTSECT.DOS (for multi-OS booting) and NTBOOTDD.SYS (if you have SCSI adapters)
4. Once XP is selected from the Boot Menu, NTLDR will run NTDETECT.COM, BOOT.INI and BOOTSECT.DOS to get the proper OS selected and loaded. The system starts in 16-bit real mode and then moves into 32-bit protected mode.
5. NTLDR will then load NTOSKRNL.EXE and HAL.DLL. Effectively, these two files are windows XP. They must be located in %SystemRoot%System32.
6. NTLDR reads the registry, chooses a hardware profile and authorizes device drivers, in that exact order.
7. At this point NTOSKRNL.EXE takes over. It starts WINLOGON.EXE that in turn starts LSASS.EXE, this is the program that display the Logon screen so that you can logon.

Which command use to create the application directory partition?

DnsCmd ServerName /EnlistDirectoryPartition FQDN of partition

Default settings for password policy

What will we be the next action plan if we get a hardware alert?

What will be the next action plan if a customer reports that a server is down?

What is Loopback Group Policy?

Ans:- Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.

TCP/UDP ports used in Windows?

Ans:- http://yourcomputer.in/list-port-numbers-windows/