>What is Active Directory ? Active Directory is a Meta Data. Active Directory is a data base which store a data base like your user information, computer information and also other network object info. It has capabilities to manage and administor the complite Network which connect with AD. >What is domain ? Windows NT and Windows 2000, a domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The 'domain' is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469. >What is domain controller ? A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination. >What is LDAP ? Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2. >What is KCC ? KCC ( knowledge consistency checker ) is used to generate replication topology for inter site replication and for intrasite replication.with in a site replication traffic is done via remote procedure calls over ip, while between site it is done through either RPC or SMTP. >Where is the AD database held? What other folders are related to AD? The AD data base is store in c:\windows\ntds\NTDS.DIT. >What is the SYSVOL folder? The sysVOL folder stores the server's copy of the domain's public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain. >What are the Windows Server 2003 keyboard shortcuts ? Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer. >Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003 ? The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory. >I am trying to create a new universal user group. Why can’t I ? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory. >What is LSDOU ? It’s group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units.
>Why doesn’t LSDOU work under Windows NT ? If the NTConfig.pol file exist, it has the highest priority among the numerous policies. >What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group. > What’s the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003. > How many passwords by default are remembered when you check "Enforce Password History Remembered"? User’s last 6 passwords. > Can GC Server and Infrastructure place in single server If not explain why ? No, As Infrastructure master does the same job as the GC. It does not work together. > Which is service in your windows is responsible for replication of Domain controller to another domain controller. KCC generates the replication topology. Use SMTP / RPC to replicate changes. > What Intrasite and Intersite Replication ? Intrasite is the replication with in the same site & intersite the replication between sites. > What is lost & found folder in ADS ? It’s the folder where you can find the objects missed due to conflict. Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder. > What is Garbage collection ? Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours. > What System State data contains ? Contains Startup files, Registry Com + Registration Database Memory Page file System files AD information Cluster Service information SYSVOL Folder
1. What’s the difference between local, global and universal groups? Domain local groups assign
access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains. I am trying to create a new universal user group. Why can’t I? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory. What is LSDOU? It’s group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units.
4. Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exist, it has the highest priority
among the numerous policies.
5. 6. 7. 8.
Where are group policies stored? %SystemRoot%System32\GroupPolicy What is GPT and GPC? Group policy template and group policy container. Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority? The computer settings take priority.
9. You want to set up remote installation procedure, but do not want the user to gain access over
it. What do you do? gponame–> User Configuration–> Windows Settings–> Remote Installation Services–> Choice Options is your friend. 10. What’s contained in administrative template conf.adm? Microsoft NetMeeting policies 11. How can you restrict running certain applications on a machine? Via group policy, security settings for the group, then Software Restriction Policies.
12. You need to automatically install an app, but MSI file is not available. What do you
do? A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer. 13. What’s the difference between Software Installer and Windows Installer? The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.
14. What can be restricted on Windows Server 2003 that wasn’t there in previous products? Group
Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters. 15. How frequently is the client policy refreshed? 90 minutes give or take. 16. Where is secedit? It’s now gpupdate. 17. You want to create a new group policy but do not wish to inherit. Make sure you check Block inheritance among the options when creating the policy.
18. What is "tattooing" the Registry? The user can view and modify user preferences that are not stored in
maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry. 19. How do you fight tattooing in NT/2000 installations? You can’t. 20. How do you fight tattooing in 2003 installations? User Configuration - Administrative Templates System - Group Policy - enable - Enforce Show Policies Only.
21. What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for
users, particularly those who move between workstations or those who must periodically work offline.
22. What’s the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide
no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files. 23. How do FAT and NTFS differ in approach to user shares? They don’t, both have support for sharing. 24. Explan the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.
25. I have a file to which the user has access, but he has no folder permission to read it. Can he
access it? It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window. 26. For a user in several groups, are Allow permissions restrictive or permissive?Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.
27. For a user in several groups, are Deny permissions restrictive or permissive?Restrictive, if at least
one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.
28. What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$,
NETLOGON, print$ and SYSVOL.
29. What’s the difference between standalone and fault-tolerant DFS (Distributed File System)
installations? The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders. 30. We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.
31. Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition
Knowledge Table, which is then replicated to other domain controllers.
32. Can you use Start->Search with DFS shares? Yes. 33. What problems can you have with DFS installed? Two users opening the redundant copies of the file
at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS. 34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a standalone one.
35. Is Kerberos encryption symmetric or asymmetric? Symmetric. 36. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time
stamp is attached to the initial client request, encrypted with the shared key.
37. What hashing algorithms are used in Windows 2003 Server? RSA Data Security’s Message Digest 5
(MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
38. What third-party certificate exchange protocols are used by Windows 2003 Server? Windows
Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities. 39. What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group. 40. If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1? A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes. 41. What’s the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003.
42. How many passwords by default are remembered when you check "Enforce Password History
Remembered"? User’s last 6 passwords.
DNS plays an important role in creating an effective Windows 2000 Active Directory (AD) implementation. AD requires DNS and uses it for name resolution and, with the help of a new Resource Record (RR) type called SRV Records, for service location. Because AD relies on DNS for these services, Win2K offers a more scalable and efficient solution than Windows NT 4.0, which uses WINS. A DNS database known as a zone file contains RRs to link host names with their corresponding IP addresses. Win2K DNS supports two kinds of zone files, standard and AD integrated. Standard Zone Files Standard zone files are traditional DNS zone files. To use standard zone files, you create a zone on the DNS server
that you plan to use to perform DNS database administration. This server becomes the primary zone server where all updates, such as RR additions or deletions, occur. When you create a DNS server to function as a secondary zone server, you specify the name or IP address of the primary zone server that will provide a copy of the zone file. You can use secondary zone servers to provide load balancing and a certain degree of fault tolerance. Secondary zone servers provide only limited fault tolerance because they continue to respond to DNS queries; secondary zone servers can’t perform any updates because they only have a read-only copy of the zone file. The primary zone server periodically replicates its zone file to the secondary zone server to ensure that the secondary zone server's copy is current. With earlier versions of Microsoft DNS, the primary zone server transfers a full copy of the zone file and overwrites the existing zone file on the secondary zone server. Win2K DNS supports Incremental Zone Transfers, which means that the primary zone server sends only changes that have occurred to the zone file since the last replication. AD Integrated Zone Files With Win2K, you can also use AD integrated zone files to incorporate zone file information into AD. With this approach, DNS uses AD for zone file storage and replication, which has advantages over standard zone types. Because the AD integrated zone file process uses AD's replication service, you don’t need to configure a separate replication topology. AD integrated zone files also eliminate the single point of failure that arises when a standard primary server goes down. With AD’s multimaster approach, you can make DNS changes at any domain controller (DC), and the changes automatically replicate to the other DCs in the domain according to AD’s default replication topology. Although both zone types support the dynamic update protocol, dynamic DNS (DDNS), only AD integrated zones support secure dynamic updates, which let you control who can update DNS and reserve a particular name for a specific server to use. Keep in mind is that AD integrated zone files don't replicate between domains. This limitation follows the usual AD replication model in that most information replicates only to other DCs in the same domain. This issue is especially confusing because the Microsoft Management Console (MMC) DNS snap-in lets you create zones in multiple domains with the same name. Creating Zones and Changing Zone Types To create a new zone, right-click either the Forward or Reverse look up folder in the MMC DNS snap-in, and chose New Zone. A wizard appears and asks what type of zone you want to create. However, note that the option to create an AD integrated zone won't appear if you haven't already run DCPROMO. In such cases, you can create a standard zone and change it after you create your AD by right-clicking the zone name in the DNS snap in and choosing Properties. You can follow this same procedure whenever you need to change zone types.
What Stub Zones Do Enter stub zones to the rescue. A stub zone is like a secondary zone in that it obtains its resource records from other name servers (one or more master name servers). A stub zone is also read-only like a secondary zone, so administrators can't manually add, remove, or modify resource records on it. But the differences end here, as stub zones are quite different from secondary zones in a couple of significant ways. First, while secondary zones contain copies of all the resource records in the corresponding zone on the master name server, stub zones contain only three kinds of resource records:
• • •
A copy of the SOA record for the zone. Copies of NS records for all name servers authoritative for the zone. Copies of A records for all name servers authoritative for the zone.
That's it--no CNAME records, MX records, SRV records, or A records for other hosts in the zone. So while a secondary zone can be quite large for a big company's network, a stub zone is always very small, just a few records. This means replicating zone information from master to stub zone adds almost nil DNS traffic to your network as the records for name servers rarely change unless you decommission an old name server or deploy a new one. Also, while most DNS servers can be configured to prevent zone transfers to secondary zones from occurring, stub zones request only SOA, NS, and A records for name servers, all of which are provided without restriction by any name server since these records are essential for name resolution to function properly. Finally, since stub zones can be
integrated within Active Directory (secondary zones can't), they can make use of Active Directory replication to propagate their information to all domain controllers on your network. In our previous scenario, stub zones can be used instead of secondary zones to reduce the amount of zone transfer traffic over the WAN link connecting the two companies. To do this, the administrator for Company A would simply log on to one of the domain controllers, open the DNS console, and create a new stub zone that uses one or more of Company B's name servers as master name servers. By making this stub zone an Active Directory Integrated zone, the stub zone will then be automatically replicated to all other domain controllers on Company A's network. Now when a client on Company A's network wants to connect to a resource on Company B's network, the client issues a DNS query to the nearest Company A domain controller, which then forwards the query to one of Company B's name servers to resolve. How to Create a Stub Zone Let's see how it works in practice. In my lab I have two forests set up, one for Company A running Windows 2003 Server and named test2003.local, and the other for Company B running Windows 2000 and named test2000.local. The domain controller for the root domain of Company A is named SRV220 while the domain controllers for the root domain of Company B are named SRV210, SRV211 and SRV212. Sally is an employee of Company A and her desktop computer is named DESK231, and she needs to access a share named CATALOG located on SRV210 in Company B. To do this she clicks Start, selects Run, and types \\srv210.test2000.local\catalog and the result is an error: