Vision Infosystems (VIS) Interview Questions

QUESTIONS ON ADS

1. What is ADS ?

ADS can be defined as a logical network structure or model of Windows 2000 and
Windows 2003 in which includes forest, trees, domain, etc.

2. What are the Advantages of ADS ?

• Centralised Data storing : All domain information is store in a single,

distributed repository.
• Extensibility : We can extended feature of ADS by updating schema
• Backward compatibility : ADS is compatible with Windows NT directory
service.
• Scalable : ADS is scalable to meets customer requirement.
• Policy based administration : ADS is enriched with number of policy settings to
improve security, etc.
• LDAP support : ADS uses LDAP which allows other LDAP compatible
application to communicate with ADS
• Directory enabled application support : Using Application data partition
feature you can allows application to use ADS feature.

3) What is Function of Sysvol ?

Sysvol is a special public folder located on NTFS partition of Domain controller. Sysvol
is used for storing public files like Login scripts, GPO templates, etc. The contents of
sysvol folder is replicated to all DC in the domain.

4) What is LDAP and its port ?

Light Weight Directory Access Protocol (LDAP) is a protocol to query or access active
directory database. It uses port number TCP 389.

5) Which service does Sysvol use for replication ?

Sysvol uses File Replication Service (FRS) for replication.

www.visioninfosystems.org Page No : 1
Vision Infosystems (VIS) Interview Questions

6) What is FRS ?

FRS is replication service used for replication of DFS and Sysvol contents.

7) What is DN and RDN ?

DN = Distinguish Name

For every object in active directory has a distinguished name (DN). The DN is unique
from all other objects and contains the full information needed to retrieve the object. The
DN contains the domain where the object resides and the path to the object. The DN is
made up of these attributes (or qualities):

DomainComponentName (DC)
OrganizationalUnitName (OU)
CommonName (CN)

For example

CN=ajay,OU=admins,DC=vision,DC=com

This above path specifies that a user name ajay resides in admins OU and this OU
belong to the domain vision.com

RDN = Relative Distinguish Name

The RDN is the part of the DN that defines the actual object, called an attribute. This is
the CN, or common name.

8) What is Schema ?

The Active Directory schema defines objects that can be stored in Active Directory. The
schema is a list of definitions that determines the kinds of objects and the types of
information about those objects that can be stored in Active Directory. In simple
language schema define structure and attributes of every object stored in active directory.

9) What is Global Catalog and its port number ?

A global catalog is a domain controller that stores a copy or replica of all Active
Directory objects in a forest. The global catalog stores a full copy of all objects of a
domain in which it resides and a partial copy of all objects for all other domains in the

www.visioninfosystems.org Page No : 2
Vision Infosystems (VIS) Interview Questions

forest. The partial copy stores the most commonly used attributes of all domain objects.
The global catalog provides users to searches objects easily and quickly within forest
without affecting network performance. User uses TCP port 3268 to query or access
global catalog.

10) How can we change administrator directory service restore mode password ?

We can change directory service restore mode password using ntdsuil.exe utility.

Example : ntdsutil "set dsrm password" "reset password on server DC1"

FSMO ROLES

1) Explain in short about 5 FSMO roles

• Schema Master : is a domain controller that handles all active directory schema
related activities in a Forest.
• Domain Naming Master : handles or controls the addition or removal of
domains in the forest.
• RID master : is a DC which assigns or distributes RIDs to every DC in a
Domain.
• PDC emulator : provides emulated PDC service for Windows NT BDCs in
mixed mode.
• infrastructure master : is responsible for updating references from objects in its
domain to objects in other domains.

2) What is PDC emulator role ?

PDC emulator provides various services

In mixed mode
• To act as PDC for Windows NT BDCs
• Password changes performed by other DCs in the domain are replicated
preferentially to the PDC emulator.
• Authentication failures that occur at a given DC in a domain because of an
incorrect password are forwarded to the PDC emulator before a bad password
failure message is reported to the user.
• Account lockout is processed on the PDC emulator.

www.visioninfosystems.org Page No : 3
Vision Infosystems (VIS) Interview Questions

In native mode
• Password changes performed by other DCs in the domain are replicated
preferentially to the PDC emulator.
• Account lockout is processed on the PDC emulator.
• Authentication failures that occur at a given DC in a domain because of an
incorrect password are forwarded to the PDC emulator before a bad password
failure message is reported to the user.
• Time synchronization between DC’s
• Editing or creation of Group Policy Objects (GPO) is always done from the GPO
copy found in the PDC Emulator's SYSVOL share, unless configured not to do so
by the administrator.

3) What happens when PDC emulator is down ?

If the PDC master is down or offline is effects network users. User will not able to handle
password changes, account lockout, time sync, etc. Therefore, when the PDC emulator
master is not available, you may need to immediately seize the role.

4) What is difference between Seizing and transfer of roles ?

The difference between transfer and seize is that, seizing is used when the source DC is
down or offline. Seizing means forcing a DC to be take the control of the role if the
original DC is down or offline. While in case of transfer both the source and destination
DC should be online.

5) Why is is not recommended to place infrastructure master and Global catalog on

same DC ?

The infrastructure masters job is to compare objects of the local domain against objects in
other domains of the same forest. If the server holding the infrastructure master is also a
global catalog it won't ever see any differences, since the global catalog holds a partitial
copy of every object in the forest itself. Therefore the infrastructure master won't do
anything in its domain.

6) What is seizing of roles ?

Seizing means forcing a DC to be assigning a role to new DC if the original DC is down

or offline.

www.visioninfosystems.org Page No : 4
Vision Infosystems (VIS) Interview Questions

7) What are two methods of transferring Domain level roles

Method - I
Active Directory Users and Computers snap-in

Method - II
ntdsutil.exe is command line tools use to transfer or seize operation master roles

8) What are two methods of transferring Forest level roles

Method - I
Schema master : Active Directory schema snap-in
Domain naming master : Active directory domains and trust

Method - II
ntdsutil.exe is command line tools use to transfer or seize operation master roles

9) Which command is used to view domain naming master role ?

Dsquery server –hasfsmo name

10) How to view Schema Master role ?

Dsquery server –hasfsmo schema

FUNCTIONAL LEVEL AND ADS files

1) What are forest level functional and domain level ?

Domain Functional Level

Windows 2000 mixed (default)

Windows NT 4.0
Windows 2000
Windows Server 2003 family
Windows 2000 native
Windows 2000 Server
Windows Server 2003 family

Windows Server 2003 interim

www.visioninfosystems.org Page No : 5
Vision Infosystems (VIS) Interview Questions

Windows NT 4.0
Windows Server 2003 family

Windows Server 2003

Windows Server 2003 family only

Forest functional level

Windows 2000 (default)

Windows NT 4.0
Windows 2000
Windows Server 2003 family

Windows Server 2003 interim

Windows NT 4.0
Windows Server 2003 family

Windows Server 2003

Windows Server 2003 family only

2) How to raise forest functional level ?

In Active directory domains and trust snap-in, right-click on the active directory domains
and trust and then select Raise Forest functional level.

3) How to raise domain functional level ?

In Active directory users and computer snap-in, right-click on the active directory
domains and trust and then select Raise Forest functional level.

4) Can we revert back to previous functional level ?

No, we cannot move back or revert back to previous functional level.

5) Which mode support domain rename feature ?

Forest Functional level : Windows 2003 Server

Domain Functional Level : Windows 2003 Server

6) Which mode support mixture of NT and 2003 ?

www.visioninfosystems.org Page No : 6
Vision Infosystems (VIS) Interview Questions

Interim mode

7) What are 4 partitions of NTDS.DIT files ?

• Schema partition : its stores active directory schema

• Configuration partition : it stores configuration information about active
directory. i.e. our current active directory topology like forest, trees, domains, etc.
• Domain data partition : it stores information about your current domain like
users, group, etc.
• Application data partition : A new partition type using in Windows 2003. It is a
type of directory partition that can be used by applications to store application
specific data in active directory database.

8) How to moves ads files to different location

We can move active directory file to different location using NTDSUTIL.EXE utility.
We can only move files using directory service restore mode.

¾ Ntdsutil
¾ files
¾ move db to <DriveAndFolder>
¾ move logs to <DriveAndFolder>
¾ QUIT

9) How to compact ads database file ?

We can compact active directory file to using NTDSUTIL.EXE utility.

10) Which are ADS files ?

NTDS.DIT : active directory database file

EDB.log : active directory transaction log file
RES1.log and RES2.log : reserved logs file
TEMP.edb : temp. active directory database file
EDB.chk : checkpoint ifle

11) How to create Application partition using command line ?

Creating Application directory partitions

1. Open a command prompt.
2. Type: ntdsutil

www.visioninfosystems.org Page No : 7
Vision Infosystems (VIS) Interview Questions

3. At the ntdsutil command prompt, type: domain management.

4. At the domain management command prompt, type: connection.
5. At the connection command prompt, type: connect to server ServerName.
6. At the connection command prompt, type: quit.
7. At the domain management command prompt, do one of the following

To create an application directory partition, type: create nc

ApplicationDirectoryPartition DomainController

To delete an application directory partition, type: delete nc

ApplicationDirectoryPartition

BACKUP AND RECOVERY

1) What does system state backup includes

Contents of System State Backup

• SysVol Folder
• Active Directory Database
• COM+ components
• Registry
• Boot Files

2) What is authoritative and non-authoritative restore?

Non-Authoritative : In non-authoritative restore, the system state back on a domain

controller are restored from backup media and the restored data is then updated through
normal replication. Each restored directory partition is updated with that of its replication
partners by replication after you restore the data. This restore can be overwritten by other
DC if they have latest backup.

Authoritative restore : An authoritative restore brings a domain or back to the state it

was in at the time of backup and overwrites all changes made since the backup. This
restore cannot be overwritten by other DC. Authoritative restore overwrites all DC
system state data.

3) What are the different types of restore?

• Primary Restore : This restore method is used if you have a single DC in a

domain. This is also a type of non-authoritative restore.

www.visioninfosystems.org Page No : 8
Vision Infosystems (VIS) Interview Questions

• Non-Authoritative restore : This restore is overwritten by other DC if they have

latest replication data.
• Authoritative restore : This restore is not overwritten by other DC.
• Subtree restore : To restore a particular subset of back. Like to restore a specific
OU.
• Single object restore : To restore a single object like user, group, etc.

4) What is Directory Service Restore mode ?

Directory Services Restore Mode (DSRM) is a special boot mode. It is used to log on to
the computer when Active Directory has failed or needs to be restored.

5) Explain types of backup method

• Normal : This option backs up the selected files and clears the archive bit if it is set.
• Copy : This option backs up the selected files and does not clear the archive bit.
• Differential : This option backs up only the selected files where the archive bit is set.
It does not clear the archive bit.
• Incremental : This option backs up only the selected files where the archive bit is
set. It clears the archive bit.
• Daily : This option does not use the archive bit. It backs up files with a Modified
timestamp that matches the backup date.

Table for Backup bits

Backup type Archive Bit (Clear)

Normal Yes
Incremental Yes
Differential No
Daily No
Copy Yes

6) How to perform authorative restore

After restoring the database using NTBACKUP utility do not restart the server. Run the
following command to perform authorative restore the entire database:
¾ ntdsutil
¾ auth restore
¾ restore database
¾ quit
¾ Restart the computer.

www.visioninfosystems.org Page No : 9
Vision Infosystems (VIS) Interview Questions

7) How to perform authoritive restore of single object

¾ ntdsutil
¾ auth restore
¾ restore object cn=jsmith,ou=Sales,dc=rallencorp,dc=com
¾ quit

8) How to perform authorative restore of subtree

¾ ntdsutil
¾ auth restore
¾ restore subtree ou=Sales,dc=rallencorp,dc=com
¾ quit

9) How to repair/recover Active directory database

First, reboot into DS Restore Mode.

Run the following command to perform a soft recovery of the transaction log files:

¾ ntdsutil
¾ files
¾ recover
¾ quit

If you continue to experience errors, you may need to run a repair, which does a low level
repair of the database, but can result in loss of data:

¾ ntdsutil
¾ files
¾ repair
¾ quit

If either the recover or repair is successful, you should then check the integrity

¾ ntdsutil
¾ files
¾ integrity
¾ quit
¾ ntdsutil
¾ semantic database analysis
¾ verbose on
¾ go

10) How to change Directory service restore mode password ?

www.visioninfosystems.org Page No : 10
Vision Infosystems (VIS) Interview Questions

1. Click, Start, click Run, type ntdsutil, and then click OK.
2. At the Ntdsutil command prompt, type set dsrm password.
3. At the DSRM command prompt, type one of the following lines:
To reset the password on the server on which you are working, type reset
password on server <Servername>

GROUP POLICY OBJECT

1) At which level GPO are implemented

GPO is implemented at Site Level, Domain Level and OU Level.

2) Where are Local Computer Policies are stored ?

Local computer policies are stored on local machine under

%systemroot%\system32\grouppolicy folder.

3) Which are the default GPO created on a Windows 2003 Domain Controller ?

By default, when Active Directory service is installed, two active directory based GPOs
are created:

• Default Domain Policy : This default GPO is created and link to the domain, and
it affects all users and computers in the domain.
• Default Domain Controllers Policy : This GPO is linked to the Domain
Controllers OU.

4) What is difference between No override and Block Policy Inheritance

Block Policy Inheritance: Blocking of Policy inheritance means to selectively block top
level policy to lower level. Eg. If we want a GPO created at domain level should not be
applied to a particular OU then we have to set Block Policy Inheritance at OU level.

No Override: No override means no one can override this policy. When No Override
option is set none of its policy settings can be overridden by any other GPO during the
processing of group policies. Eg. When a at top level GPO No Override option is set,
then no other GPO at lower level can override it (even if block policy inheritance is set).

www.visioninfosystems.org Page No : 11
Vision Infosystems (VIS) Interview Questions

5) Which tool is to import or export GPO ?

GPMC.exe is a tool used to perform import and export of GPO.

6) Which are the 2 methods of deployment application via GPO?

Assign and publish are the 2 methods of deploying software or application via GPO.

7) what file format are supported for software deployment via GPO

.msi and .zap are the 2 format supported for software deployment under GPO.

8) what is GPO linking ?

GPO linking is a method of linking or applying same policy to multiple OU, site, etc.

9) Where are GPO template or settings stored on DC ?

GPO templates or settings are stored under sysvol folder on every DC.

10) What are administrative templates ?

Administrative Templates facilitate the management of registry-based policy. An ADM

file is used to describe both the user interface presented to the Group Policy administrator
and the registry keys that should be updated on the target machines. Administrative
templates have extension .ADM and we can create custom administrative templates as
per our requirement.

11) Which command is use to modify local group policy?

Gpedit.msc

12) How to prevent a GPO from applying to a specific user or group ?

To prevent a group policy from applying to user or group, go to properties of GPO and
set the permission deny apply group policy to user or group.

13) Is it possible to apply group policy to a single user or a single group ?

www.visioninfosystems.org Page No : 12
Vision Infosystems (VIS) Interview Questions

No. You cannot apply GPO to a single user or group. All you have to do is to create and
OU and place that user or group in that particular OU and apply GPO to that OU.

14) Can we apply a GPO to a single computer ?

No. You cannot apply GPO to a single computer. All you have to do is to create and OU
and place that computer in that particular OU and apply GPO to that OU.

15) What is the function of GPMC tools?

GPMC tool is a group policy management console. This tool is used to manage or
administer Group Policy. With the help of this tool we can create, modify, delete,
backup/restore, etc. policies.

TRUST RELATIONSHIP

1) When you will reset trust ?

If you've determined a trust is broken, you need to reset it, which will allow users to
authenticate across it again.

2) Which command line tool is used to create trust ?

Netdom.exe is a support tool used to create/view/delete trust

3) What is Trust relationship and when to use it?

Trust relationship is a feature which allows one domain to access other domain resources.
Trust relationship is used in multi-domain setup. Trust can be configure in one-way
fashion or two-way fashion.

4) What is shortcut trust?

Trust relationship is a feature which allows one domain to access other domain resources.

www.visioninfosystems.org Page No : 13
Vision Infosystems (VIS) Interview Questions

5) What is forest trust?

Trust relationship is a feature which allows one domain to access other domain resources.

6) What is trusting party and trusted party?

Trust relationship is a feature which allows one domain to access other domain resources.

7) What is trust password?

Trust relationship is a feature which allows one domain to access other domain resources.

9) What is transitive trust?

Trust relationship is a feature which allows one domain to access other domain resources.

10) What is implicit and explicit trust?

Trust relationship is a feature which allows one domain to access other domain resources.

11) What is realm trust?

Trust relationship is a feature which allows one domain to access other domain resources.

Sites and services

=============

What is the default replication time between two DC in same site and how to change it
Which service is use for replication between DC in a domain
What is the default time for replication between DC’s in same site or between site
What is queuing policy in Windows 2000
What is garbage collection in Windows 2000

www.visioninfosystems.org Page No : 14
Vision Infosystems (VIS) Interview Questions

Which tool is used to manage a Windows 2000 domain controller from a non-domain
controller like W2k prof., Win 95/98, etc.
What is Global catalog
Types of replication
What is USN
What is the role of Global catalog in Windows 2000 domain environment
Where to place a global catalog in multi-domain and multi-site Windows 2000 forest
What is KCC (Knowledge Consistency Checker)
What is active directory connection
What is repadmin.exe

www.visioninfosystems.org Page No : 15