Sie sind auf Seite 1von 9

Imp interview questions on AD

1 )where is AD database held? In ntds.dit other imp files are edb.log, edb.chk (which stores the shutdown statements) 2) importance of sysvol folder? Its a shared folder on the local DC, which contains public logon scripts and GPs, when replication takes place btw DCs this folder is that actually replicates + it should be on an NTFS drive.

3) AD naming context? Has 3 types of naming context a)schema b)domain c)configuration


Schema NC is replicated to every other domain controller in the forest. Configuration NC is also replicated to every other DC in the forest. The Domain NC is replicated to every other DC within a single Active Directory domain; this is the most accessed portion of the AD dB. Alternatively

Each domain controller stores a copy of a specific part of the directory tree, called a Naming Context also know as Directory Partition. Naming Context is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A Naming Context is also called a Directory Partition. Doubt: where to find this in a DC (path for the NC)
4) application partition??

Application directory partitions provide the ability to control the scope of replication and allow the placement of replicas in a manner more suitable for dynamic data. use them when you need to replicate without causing a huge impact on network performance and latency... We need AD LDS role to installed first before we configure this. Application directory partitions hold the data that your applications use.
http://technet.microsoft.com/en-us/library/cc754663(v=ws.10).aspx#BKMK_1 for more info.

5) where is replication properties seen??

AD sites and services. We can also use a cmd repadmin /showrepl <servername> command

+we can run this command and get the o/p in an excel spread sheet when our AD environment is hugee (follow the link for more info)
http://technet.microsoft.com/en-us/library/cc794749(v=ws.10).aspx

6) how to view all the GCs in the forest? By using command

You can display the Global Catalog Servers in the domain you are logged in to using Nslookup.exe: 1. Open a CMD.EXE window. 2. Type the following command and press Enter: nslookup gc._msdcs.%USERDNSDOMAIN% alternatively use the following powershell command to find the GCs in the forest
Get-ADForest Fabrikam.com | FL GlobalCatalogs Note to find the nearest domain controller use the following command Get-ADDomainController DomainName Fabrikam-Discover NextClosestSite

7) can we make all DCs in the domain a GC?? Yes!! Unless the network connectivity is too poor and cannot support extra traffic.

8) what is REPLMON?
This is the first tool you should use to troubleshoot active directory replication issues Its a graphical tool, i.e easy to see and analyse!! The GUI was removed from win 2008....repadmin command is used as alternative.

9) what is netdom used for? Its a command thats built in to windows 2008....must be run from an elevated command prompt....it can be run only if AD domain service role is installed....used for batch management of trust, joining computers to domain and verifying trusts.

10) how to view schema??

option to view the schema register schmmgmt.dll using this command c:\windows\system32>regsvr32 schmmgmt.dll (type in run) Open mmc --> add snapin --> add Active directory schema name it as schema.msc Open administrative tool --> schema.msc Refer the below link for more info on schema extension and Active directory service interface (ADSI) tool and when ADSIedit.exe is used http://laxmanmcse.blogspot.com/2010/12/13-trying-to-look-at-schema-how-can-i.html

11) speak abt support tools for windows AD management Tools that are used to perform complicated tasks easily are support tools EX are as follows
Acldiag.exe Adsiedit.msc Bitsadmin.exe Dcdiag.exe Dfsutil.exe Dnslint.exe Dsacls.exe Iadstools.dll Ktpass.exe Ldp.exe Netdiag.exe Netdom.exe Ntfrsutl.exe Portqry.exe Repadmin.exe Replmon.exe Setspn.exe They mainly help in troubleshooting..managing..automating application deployment.configuring network and security feature etc. We can download support tools from the below link http://www.Microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B9A772EA2DF90&displaylang=en

12) explain about SITES. Sites speak abt physical structure of topology.while domain speaks abt logical structuring of topology..sites are very imp to have an efficient replication topology.basically they can also be described as one or more well-connected tcp/ip subnet. Sites can contain multiple domain and also a domain can span multiple sites If a domain spans in multiple sites it should replicate using IP.SMTP is used for intersite 13) explain abt site schedule and interval when speaking abt replication

Interval is a part of schedule but it takes cares of the replication polling frequency. In other words in a said schedule of say 9:00 AM to 1 PM replication polling shuld occur in every 15 minutes. Schedule here is 9:00 AM to 1 PM Interval is every 15 minutes.

14) Explain abt KCC. KCC comes to picture only when there is a 2nd DC in the domain.KCC generates replication topology..default time is 15 min. An admin will getto know abt kcc only in event viewer EX of the events include

Event 1009 (informational): The consistency checker has started updating the replication topology for this server. Event 1013 (informational): The replication topology update task terminated normally. Event 1265 (warning): The attempt to establish a replication link with parameters < parameters > failed with the following status: < error message >. The record data is the status code. This operation is going to be re-tried

15) what is ISTG? who has that rule?? ISTG stands for inter site topology generator..The KCC on one domain controller (regardless of the
domain) in each site is responsible for reviewing the inter-site topology and creating inbound replication connection objects as necessary for bridgehead servers in the site in which it resides. This domain controller is known as the Inter-Site Topology Generator (ISTG). The domain controller holding this role may not necessarily also be a bridgehead server. Initially, the first server in the site becomes the ISTG for the site. The role does not change as additional domain controllers are added to the site until the current ISTG becomes unavailable.

16) how to promote a server to dc in a remote site if the connection is slow. Simple method is to take the backup of the existing DC by running ntbackup. burn this on a CDsend the CD to the remote location.then run dcpromo/advanced.the console will open, and follow the instructions. More info on http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htmhttp://www. petri.co.il/install_dc_from_media_in_windows_server_2003.htm 17) how to remove the AD from the server? Using.dcpromo/forceremoval Also one should delete the metafiles using ntds utility. 18)tools that is used to get security related packets from wire.. Sniffer detecting tools like ethereal

19)explain OU design consideration. We create OU mainly for 2 reasonsa)delegating admin rights.b)to implement GPs There are 3 categories of OUs..1) flat (1 or 2 level) 2)narrow (3 to 5 level) 3)deep (more than 5 level) 20) what is tombstone attribute? Tombstone is an attribute that determines for how long the deleted object is retained in the active directory. This helps in removing objects from the replicated server How to determine the tombstone lifetime attribute (TSL)?? (default is 180 days) a) Can be done using the adsiedit tool also. Refer this link for more info on the same http://technet.microsoft.com/en-us/library/cc784932(v=ws.10).aspx b) Can be done using dsquery. (in cmd prompt) Ex: dsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=<forestD
N>" scope base attr tombstonelifetime If forest name is corp.proseware.com dsquery * "cn=directory service,cn=windows nt,cn=services,cn=configuration,dc=corp,dc=prose ware,dc=com" scope base attr tombstonelifetime

The tombstone latency must be must be substantially longer than the expected replication latency btw the DC. If the tombstone has not yet replicated to a particular domain controller, that DC neve r records the deletion. We can also modify the tombstone lifetime. To reconfigure the tombstone lifetime use asdiedit.exe and refer the following command http://www.anas.co.in/2010/02/what-is-tombstone-lifetime-how-to.html

21)what are the steps to install a Win 2003 DC on an existing Win 2000 DC? Adprep.exe utility must be run on DC holding both the schema master and infra master role.then Adprep / forestprep command must be run on the existing win 2000 DC having the schema master r ole on the forest root domain to prepare the existing schema to to support win 2003 AD. Adprep/domainprep must be run on the server holding the infra master role in the domain where 2 000 server will be deployed. For further detailed reading, follow the link. http://support.microsoft.com/kb/325379 22) how to find the users who have not logged in for a month.

By running a native command jsilld.bat produces a sorted/formatted report of users who have not l ogged on since YYYYMMDD. The syntax for using this command is. JSILLD \Folder\OutputFile.Ext YYYYMMDD [/N]
where: YYYYMMDD will report all users who have not logged on since this date.

Alternatively, we can use dsquery also (which is run in an elevated command prompt) dsquery -inactive <NumberOfWeeks> will give you the answer Alternatively, using powershell commands
The following example demonstrates how to find user accounts that have been inactive for 90 days: Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass A

23)explain about DS* commands. They stand for directory services group of commands. they are majorly split into 2 trees. 1) DSadd, DSmod, DSrm and DSMove 2) DSQuery and DSGet. The DS family of built-in command line executables offer alternative strategies to CSVDE, LDIFDE and VBScript.

24) Speak abt LDIFDE and CSVDE commands and their usage scenarios. LDIFDE stands for LDAP Data Interchange Format This can be used to import and export objects to AD and from the AD to related services and applications, it also allows batch operations such as add, modify, create. Basically its a kind of file format, which can be read in any text editor (except excel or spread sheets) CSVDE stands for comma separated value data exchange Used mainly to import and export files in a .CSV format. This is used as a command, which is available if AD LDS role is installed

You may have to use this method in some scenarios, for example, when administrators want to export custom recipients from Microsoft Exchange Server 5.5 and import them into Active Directory as Microsoft Windows contacts. http://support.microsoft.com/kb/327620 refer this link for more info.

25) How to add schema snap-in. first we need to register the schema using the command regsvr32 schmmgmt.dll command must be run in an elevated command prompt.

26) Talk abt FSMO roles. There are 5 types of flexible single master operation roles. 1) Schema master.2)domain naming master.they are forest level. Schema is the skeletal structure of AD. DNM Checks on duplication of the domain name 3)Infrastructure master role..4)RID master role.5)PDC (primary domain controller) emulator..they are domain level. While troubleshooting one of the tools called.dcdiag /test:ridmanager /v tool is used to diagnose problems related to rid

the marked area gives the info of available rids in allocation pool (from 1102 to 1601.)i.e 499 rids available. The DC on which the rid master is located on. PDC emulator..its one of the most critical role.normally DC in the domain consults the PDC in that domain, normally GPO are set on a PDC emulator so that it is not conflicted while setting up policies in diff DC.

Synchronizing time is also one of the main tasks of PDC emulators, All the DCs, member servers will get their time from PDC emulator. Even the child domain gets the time from root domain.therefore ultimately from PDC. Placement of diff roles. Initially all the roles will be on the same DC if we have only one DC in our entire domain, but its kinda risking, so best method is

3 roles on one DC and the other 3 roles on a diff DC. Location of FSMO roles
1) Go to Domains and Computers----right click on the domain --------choose operation masters. (this displays all the domain level roles) 2) Go to AD domains and trusts----right click on AD domains and trusts--choose operation roles. (this will display only domain naming master role) 3) Go to mmc--add schema snap in-open the console---------right click on the AD schema---choose roles as shown below

P .T .O

Transferring and seizing the roles is also an important issue.