Windows System Administrator Interview Questions Part1

• What is Active Directory?

An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996. It was first used with Windows 2000.

An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory.

Active Directory is a hierarchical collection of network resources that can contain users, computers, printers, and other Active Directories. Active Directory Services (ADS) allow administrators to handle and maintain all network resources from a single location . Active Directory stores information and settings in a central database

• What is LDAP?

The Lightweight Directory Access Protocol, or LDAP , is an application protocol for querying and modifying directory services running over TCP/IP. Although not yet widely implemented, LDAP should eventually make it possible for almost any application running on virtually any computer platform to obtain directory information, such as email addresses and public keys. Because LDAP is an open protocol, applications need not worry about the type of server hosting the directory.

• Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.

-Yes you can connect other vendors Directory Services with Microsoft’s version.

-Yes, you can use dirXML or LDAP to connect to other directories (ie. E-directory from Novell or NDS (Novel directory  System).

-Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictonaries used by SAP, Domino etc with the help of MIIS ( Microsoft Identity Integration Server )

• Where is the AD database held? What other folders are related to AD?

AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure

ntds.dit

edb.log

res1.log

res2.log

edb.chk

When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database.

During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database.

The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we’ve discussed

• What is the SYSVOL folder?

- All active directory data base security related information store in SYSVOL folder and its only created on NTFS partition.

- The Sysvol folder on a Windows domain controller is used to replicate file-based data among domain controllers. Because junctions are used within the Sysvol folder structure, Windows NT file system (NTFS) version 5.0 is required on domain controllers throughout a Windows distributed file system (DFS) forest.

This is a quote from microsoft themselves, basically the domain controller info stored in files like your group policy stuff is replicated through this folder structure

• How do you view all the GCs in the forest?

C:\>repadmin/showreps
domain_controller

OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%

• Why not make all DCs in a large forest as GCs?

The reason that all DCs are not GCs to start is that in large (or even Giant) forests the DCs would all have to hold a reference to every object in the entire forest which could be quite large and quite a replication burden.

For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor WAN lines.

• Trying to look at the Schema, how can I do that?

adsiedit.exe

option to view the schema

register schmmgmt.dll using this command

c:\windows\system32>regsvr32 schmmgmt.dll

Open mmc –> add snapin –> add Active directory schema

name it as schema.msc

Open administrative tool –> schema.msc

• What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?

ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool:

· ADSIEDIT.DLL

· ADSIEDIT.MSC

Regarding system requirements, a connection to an Active Directory environment and Microsoft Management Console (MMC) is necessary

A: Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line counterparts. The purpose of this document is to guide you in how to use it, list some common replication errors and show some examples of when replication issues can stop other network installation actions.

NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels

Enables administrators to manage Active Directory domains and trust relationships from the command prompt.

Netdom is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use netdom, you must run the netdom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

REPADMIN.EXE is a command line tool used to monitor and troubleshoot replication on a computer running Windows. This is a command line tool that allows you to view the replication topology as seen from the perspective of each domain controller.

REPADMIN is a built-in Windows diagnostic command-line utility that works at the Active Directory level. Although specific to Windows, it is also useful for diagnosing some Exchange replication problems, since Exchange Server is Active Directory based.

REPADMIN doesn’t actually fix replication problems for you. But, you can use it to help determine the source of a malfunction.

• What are sites? What are they used for?

Active directory sites, which consist of well-connected networks defined by IP subnets that help define the physical structure of your AD, give you much better control over replication traffic and authentication traffic than the control you get with Windows NT 4.0 domains.
Using Active Directory, the network and its objects are organized by constructs such as domains, trees, forests, trust relationships, organizational units (OUs), and sites.

• What’s the difference between a site link’s schedule and interval?

Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the give interval. Interval is the re occurrence of the inter site replication in given minutes. It ranges from 15 – 10,080 mins. The default interval is 180 mins.

• What is the KCC?

The KCC is a built-in process that runs on all domain controllers and generates replication topology for the Active Directory forest. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable.

• What is the ISTG? Who has that role by default?

Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default Windows 2003 Forest level functionality has this role.  By Default the first Server has this role. If that server can no longer preform this role then the next server with the highest GUID then takes over the role of ISTG.

• What are the requirements for installing AD on a new server?

· An NTFS partition with enough free space (250MB minimum)

· An Administrator’s username and password

· The correct operating system version

· A NIC

· Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway)

· A network connection (to a hub or to another computer via a crossover cable)

· An operational DNS server (which can be installed on the DC itself)

· A Domain name that you want to use

· The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)

• What can you do to promote a server to DC if you’re in a remote location with slow WAN link?

First available in Windows 2003, you will create a copy of the system state from an existing DC and copy it to the new remote server. Run “Dcpromo /adv”. You will be prompted for the location of the system state files

• What is tombstone lifetime attribute?

The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC by default 2000 (60 days) 2003 (180 days)

Windows 2000 Server 60 days
Windows Server 2003 no service pack 60 days
Windows Server 2003 SP1 180 days
Windows Server 2003 R2 60 days
Windows Server 2003 SP2 180 days
Windows Server 2008 180 days

• What are the DScommands?

New DS (Directory Service) Family of built-in command line utilities for Windows Server 2003 Active Directory

New DS built-in tools for Windows Server 2003
The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.

When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for choice. The the DS family of built-in command line executables offer alternative strategies to CSVDE, LDIFDE and VBScript.

Let me introduce you to the members of the DS family:

DSadd – add Active Directory users and groups
DSmod – modify Active Directory objects
DSrm – to delete Active Directory objects
DSmove – to relocate objects
DSQuery – to find objects that match your query attributes
DSget – list the properties of an object

• What are the FSMO roles? Who has them by default? What happens when each one fails?

FSMO stands for the Flexible single Master Operation

It has 5 Roles: -

• Schema Master:

The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.

• Domain naming master:

The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

• Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC’s event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

• Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC’s allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain’s RID master. The domain RID master responds to the request by retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.

• PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.

:: In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:

:: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.

Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.

Account lockout is processed on the PDC emulator.

Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator’s SYSVOL share, unless configured not to do so by the administrator.

The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.