Hyper-v interview questions and answers | HTML POINT

Hyper-v interview questions and answers

We are elaborate Hyper-v interview questions and answers which is mention below

Ques: -Basic requirement for install cluster

Ans:- DNS: The servers in the cluster must be using Domain Name System (DNS) for name resolution.

Domain role: All servers in the cluster must be in the same Active Directory domain, all clustered servers should have the same domain role.

Domain controllers: We recommend that your clustered servers be member servers. If they are, other servers will be the domain controllers in the
domain that contains your failover cluster.

Clients: the clients must be able to connect to the clustered servers

Account for administering the cluster: When you first create a cluster or add servers to it, you must be logged on to the domain with an account
that has domain admin rights

Ques:- prerequisites to install hyper v

Ans:-

1-Microsoft recommend minimum of 1.4 GHz 64-bit virtualization enabled processor, we recommend at least 2 GHz processor for Hyper-V
Server.

2- Minimum of 512 MB hard disk space to accommodate Hyper-V Server installation,

3- Minimum network adapter.one for management network and one for heart beat

Ques:- How to install hyper v

Ans:-

1-Server Manager, on the Manage menu, click Add Roles and Features.

2-After that click role based. Click Next.

3-After that select a server from the server pool and then click next.

4- After that click hyper v and then click Next.

5- After that select network

6-After that hyper console is open

Ques: What is Hyper-V?

Ans:

1-Hypervisor technology is service on which multiple virtual machines can run

2-Hyper-V provides the functionality to create a virtualization layer over the physical layer of the host server machine
3-Microsoft’s Hyper-V is a virtualization component that allows for the creation and management of hardware virtualized computing
environments through the use of VMs to run multiple operating systems on one physical server.

Ques: Where does Hyper-V place the files and settings for VMs

Ans: Default location of the Vm is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks.But we can change the location using hyper v setting

Ques:- Type of quorum

Ans: Type of quorum

1-Node majority – Each node in the cluster has a vote

2-Node and disk majority – Each node in the cluster has a vote as does a shared disk

3-Node and file share majority – Each node in the cluster has a vote as does a file share (the file share witness)

4-Disk only – Only a shared disk has a vote

Ques: The key features of Microsoft Hyper-V?

Ans: key features of Microsoft Hyper-V is

1-64-bit supported hypervisor-based virtualization.

2-it is ability to run 32-bit and 64-bit virtual machines.

3-Uniprocessor and multiprocessor virtual machines supported.

4-Virtual machine snapshots, which capture the state, data, and hardware configuration of a running virtual machine. Because snapshots record
system states, you can revert the virtual machine to a previous state when is face some problem.

5-Large virtual machine memory support.

6-Virtual local area network (VLAN) support.

Ques: What is csv file in hyper v

Ans:-

1-CSVs allow a cluster of Hyper-V servers to share a set of disks or volumes

2-Any host in the cluster can access any of the shared disks

3-Without CSV, a failover cluster allows a given disk (LUN) to be accessed by only one node at a time

Ques:-What are Hyper-V Integration Components?

Ans:-

1-Integration components install agents into a VM that enable a host to successfully back up a VM, recognize when it has gone down, copy and
paste data into and out of a VM

2-synchronize its clock to the host.

3-Hyper-V integration components will be delivered directly to virtual machines using Windows Update
Ques :- What are the prerequisites to install and use Hyper-V?

Ans:-

1-An x64-based processor

2-Hardware-assisted virtualization (Intel VT) or AMD Virtualization (AMD-V)

3-Data Execution Prevention (DEP) must be available

Ques:- What type of disk controller would you In Hyper-V VM

Ans:- There are three type of disk controller in Hyper virtual machine

IDE devices

SCSI devices

HBAs

Ques:-Where can you manage Hyper-V hosts from remotely?

Ans:- We can manage the hyper V using Hyper-V Manager.

Ques:-How do you monitor the performance of your VMs?

Ans:- We can monitor the performance of your VMs with different method

1-Hyper-V Performance Monitor Tool (PowerShell)

2- Perfom

Ques:-Types of networks in Hyper-V

Ans:- There are three type of networks in Hyper-V

1-Private Virtual Network:- This type of switch is bound to the physical network cards located in the host.

2-Internal Virtual Network:- This switch is not bound to a physical network card so only allows traffic between VMs and the host

3-External Virtual Network:- This type of switch is only used for virtual machines to communicate with each other

Ques :- What are the system requirements for Hyper-V?

Ans:-Basic Requirement for Hyper v Installation:-

1-64-bit Processor

2-Hardware Virtulization supported ((Intel VT) or AMD Virtualization (AMD-V))

3-Minimum of 4 GB memory

Ques:- What is type of files of the vm in hyper v machine

Ans:-
1-.XML files:- These files contain the virtual machine configuration details. There is one of these for each virtual machine and each snapshot of
a virtual machine. They are always named with the GUID used to internally identify the virtual machine or snapshot in question.

2-.BIN files:- This file contains the memory of a virtual machine or snapshot that is in a saved state.

3-.VSV files:- This file contains the saved state from the devices associated with the virtual machine.

4-.VHD files:- These are the virtual hard disk files for the virtual machine

5-.AVHD files:-These are the differencing disk files used for virtual machine snapshots

Ques:-What is Virtual Machine Snapshots.

Ans:- 1-A virtual machine snapshot is copied of virtual machine (VM) at a specified time

2-A virtual machine snapshot allows a VM to be restored at state of snapshot creation.

3-Snapshots require adequate storage space. Snapshots are stored as .avhd files in the same location at the virtual hard disk.

Ques:-How do you change that Hyper-V files and setting locations

Ans:– Default location of the Hyper-V files

C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks

C:\ProgramData\Microsoft\Windows\Hyper-V

Hyper-V Manager, as a property of the server itself. Do this by right-clicking on the server and selecting Hyper-V Settings, then changing both
the path for Virtual Hard Disks and the path for Virtual Machines

Ques: -How do you export a Hyper-V VM. tell the method?

Ans:-

1-Gio to the Hyper V manager

2-right click on VM and select export option

3-browse the location where we save the machine

Ques:-What are benefits using CSV?

Ans:-

1-Multiple clustered virtual machines can use the same LUN while still being able to fail over from one node to another node independently

2-Instead, the free space on a Cluster Shared Volume can be used by any VHD file on that LUN.

3-virtual machine can have VHD files accessed by any node in the cluster

4-Hyper-V supports the Live Migration of virtual machines (VMs) using CSV
1. Events that Indicate Active Directory Replication Problems ?
Ans. Below are the event ids and associated problem or error messages :
Net Logon Event ID 5805 :-A machine account failed to authenticate, which is usually caused by
either multiple instances of the same computer name, or the computer name has not replicated to
every domain controller.
NTDS Event ID 1083 :A duplicate object is present in the Active Directory of the replication
partner of the local domain controller, so updating it is impossible.
NTDS Event ID 1265 : Replication failed for the reason stated in the message text.
NTDS Event ID 1311 : This error occurs when the replication configuration information in
Active Directory Sites and Services does not accurately reflect the physical topology of the
network.
NTDS Event ID 1388 : This error is usually generated by a lingering object which resulted from
disconnecting a domain controller for too long.
NTDS Event ID 1645 : This error occurs over an existing replication link when the GUID of the
NTDS Settings object of a replication partner does not match the GUID defined in the Service
Principal Name (SPN) attributes of the computer object of this replication partner.
SceCli event ID 1202 : A user account in one or more Group Policy objects (GPOs) cannot be
resolved to a security identifier (SID). This error is possibly caused by a mistyped or deleted user
account referenced in either the User Rights Assignment or Restricted Groups branch of a GPO.

2. What if Schema master goes down ?

Ans . Schema master is one of the key forest wide FSMO role , If schema master goes down
logon service will not be impacted . But the loss of schema master role holder put the forest into
a state of stasis so no addition of object type and/or attributes to the schema can be made .

3. What is AD Federation Services ?

Ans. ADFS(Active Directory Federation Services ) simplifies access to systems & applications
using a Claims-Based Access (CBA) authorization mechanism to maintain application security .
ADFS supports WebSSO technology that helps IT organisations collaborate across
organizational boundaries .

4. What is AD Management Gateway Service ?

Ans. It is web service interface for application accessibility to Active Directory .

5. What are the port number used by WSUS for reporting ?

Ans. 80 / 443 - IPV4 , 8350/8351 -IPV6 .

6.How to check what are the policies have been applied to a client machine ?

Ans. Through GUI

Start - run - rsop.msc (Resultant Set of Policy )

Through Command line

gpresult /scope /user /v

7. What is the command to check replication status ?

Ans. To check status of replication please use below commands in cmd of the Domain
Controller :

repadmin /showrepl servername /U:domainname\username /password :*

To generate replication status for all replication partners :

repadmin /showrepl */csv > showrepl.csv

8.How to identify which domain controller is having which FSMO role ?

Ans. TO identify Which dc have which fsmo role , log in to the server open cmd and enter the
below command :

netdom querry fsmo

9.What is white space in Active Directory ?

Ans. During ordinary operation , the white space in the active directory data base become
fragmented . Each time garbage collection run (every 12 hour by default) , white space is
automatically de-fragmented online to optimize its use with in the database file . The unused disk
space therefore maintained for the database, it is not returned to the file system .

10. What is the impact if PDC emulator is down ?

Ans. If PDC emulator is down Clients/Users will be not able to change password and time
synchronization will not happen .

Frequently asked interview questions on Active Directory.

This is a compilation of question and answers

on Active Directory from various sources listed below.This provides a starting point in
preparation for Windows Administration interview.

1. Define Active Directory

Active Directory is a database that stores data pertaining to the users and objects within
the network. Active Directory allows the compilation of networks that connect with AD,
as well as the management and administration.
2. What is a domain within Active Directory?

A domain represents the group of network resources that includes computers, printers,
applications and other resources. Domains share a directory database. The domain is
represented by address of the resources within the database. A user can log into a domain
to gain access to the resources that are listed as part that domain.

3. What is the domain controller?

The server that responds to user requests for access to the domain is called the Domain
Controller or DC. The Domain Controller allows a user to gain access to the resources
within the domain through the use of a single username and password.

4. Explain what domain trees and forests are

Domains that share common schemas and configurations can be linked to form a
contiguous namespace. Domains within the trees are linked together by creating special
relationships between the domains based on trust. Forests consist of a number of domain
trees that are linked together within AD, based on various implicit trust relationships.
Forests are generally created where a server setup includes a number of root DNS
addresses. Trees within the forest do not share a contiguous namespace.

5. What is LDAP?

LDAP is an acronym for Lightweight Directory Access Protocol and it refers to the
protocol used to access, query and modify the data stored within the AD directories.
LDAP is an internet standard protocol that runs over TCP/IP.

6. Mention which is the default protocol used in directory services?

The default protocol used in directory services is LDAP ( Lightweight Directory Access
Protocol).

7. What tool would you use to edit AD?

Adsiedit.msc is a low level editing tool for Active Directory. Adsiedit.msc is a Microsoft
Management Console snap-in with a graphical user interface that allows administrators to
accomplish simple tasks like adding, editing and deleting objects with a directory service.
The Adsiedit.msc uses Application Programming Interfaces to access the Active
Directory. Since Adsiedit.msc is a Microsoft Management Console snap-in, it requires
access MMC and a connection to an Active Directory environment to function correctly.

8. How would you manage trust relationships from the command prompt?

Netdom.exe is another program within Active Directory that allows administrators to

manage the Active Directory. Netdom.exe is a command line application that allows
 administrators to manage trust relationship within Active Directory from the command
prompt. Netdom.exe allows for batch management of trusts. It allows administrators to
join computers to domains. The application also allows administrators to verify trusts and
secure Active Directory channels.

9. Where is the AD database held and how would you create a backup of the database?

The database is stored within the windows NTDS directory. You could create a backup of
the database by creating a backup of the System State data using the default NTBACKUP
tool provided by windows or by Symantec’s Netbackup. The System State Backup will
create a backup of the local registry, the Boot files, the COM+, the NTDS.DIT file as
well as the SYSVOL folder.

10. What is SYSVOL, and why is it important?

SYSVOL is a folder that exists on all domain controllers. It is the repository for all of the
active directory files. It stores all the important elements of the Active Directory group
policy. The File Replication Service or FRS allows the replication of the SYSVOL folder
among domain controllers. Logon scripts and policies are delivered to each domain user
via SYSVOL. SYSVOL stores all of the security related information of the AD.

11. Briefly explain how Active Directory authentication works

When a user logs into the network, the user provides a username and password. The
computer sends this username and password to the KDC which contains the master list of
unique long term keys for each user. The KDC creates a session key and a ticket granting
ticket. This data is sent to the user’s computer. The user’s computer runs the data through
a one-way hashing function that converts the data into the user’s master key, which in
turn enables the computer to communicate with the KDC, to access the resources of the
domain.

12. Mention what is the difference between domain admin groups and enterprise
admins group in AD?

Enterprise Admin Group

o Members of this group have complete control of all domains in the forest.
o By default, this group belongs to the administrators group on all domain controllers in
the forest.
o As such this group has full control of the forest, add users with caution.

Domain Admin Group

o Members of this group have complete control of the domain

o By default, this group is a member of the administrators group on all domain controllers,
workstations and member servers at the time they are linked to the domain.
o As such the group has full control in the domain, add users with caution.
13. Mention what is Kerberos?

Kerberos is an authentication protocol for network. It is built to offer strong

authentication for server/client applications by using secret-key cryptography.

14. Mention what are lingering objects?

Lingering objects can exists if a domain controller does not replicate for an interval of
time that is longer than the tombstone lifetime (TSL).

15. Mention what is TOMBSTONE lifetime?

Tombstone lifetime in an Active Directory determines how long a deleted object is

retained in Active Directory. The deleted objects in Active Directory is stored in a special
object referred as TOMBSTONE. Usually, windows will use a 60- day tombstone
lifetime if time is not set in the forest configuration.

16. Mention what is PDC emulator and how would one know whether PDC emulator is
working or not?

PDC Emulators: There is one PDC emulator per domain, and when there is a failed
authentication attempt, it is forwarded to PDC emulator. It acts as a “tie-breaker” and it
controls the time sync across the domain. These are the parameters through which we can
know whether PDC emulator is working or not.

o Time is not syncing

o User’s accounts are not locked out
o Windows NT BDCs are not getting updates
o If pre-windows 2000 computers are unable to change their passwords.
17. Explain what is Active Directory Schema?

Schema is an active directory component describes all the attributes and objects that the
directory service uses to store data.

18. Explain what is a child DC?

CDC or child DC is a sub domain controller under root domain controller which share
name space

19. Explain what is RID Master?

RID master stands for Relative Identifier for assigning unique IDs to the object created in
AD.

20. Mention what are the components of AD?

 Components of AD includes

o Logical Structure: Trees, Forest, Domains and OU

o Physical Structures: Domain controller and Sites
21. Explain what is Infrastructure Master?

Infrastructure Master is accountable for updating information about the user and group
and global catalogue.

22. What is FSMO?

Flexible single master operation is a specialized domain controller (DC) set of tasks, used
where standard data transfer and update methods are inadequate. AD normally relies on
multiple peer DCs, each with a copy of the AD database, being synchronized by multi-
master replication.

23. Tel me about the FSMO roles?

o Schema Master
o Domain Naming Master
o Infrastructure Master
o RID Master
o PDC

Schema Master and Domain Naming Master are forest wide role and only available one
on each Forest, Other roles are Domain wide and one for each Domain AD replication is
multi master replication and change can be done in any Domain Controller and will get
replicated to others Domain Controllers, except above file roles, this will be flexible
single master operations (FSMO), these changes only be done on dedicated Domain
Controller so it’s single master replication.

24. Which FSMO role is the most important? And why?

Interesting question which role is most important out of 5 FSMO roles or if one role fails
that will impact the end-user immediately Most amateur administrators pick the Schema
master role, not sure why maybe they though Schema is very critical to run the Active
Directory
Correct answer is PDC, now the next question why? Will explain role by role what
happens when a FSMO role holder fails to find the answer
Schema Master – Schema Master needed to update the Schema, we don’t update the
schema daily right, when will update the Schema? While the time of operating system
migration, installing new Exchange version and any other application which requires
extending the schema So if are Schema Master Server is not available, we can’t able to
update the schema and no way this will going to affect the Active Directory operation
and the end-user
Schema Master needs to be online and ready to make a schema change, we can plan and
have more time to bring back the Schema Master Server
Domain Naming Master – Domain Naming Master required to creating a new Domain
 and creating an application partition, Like Schema Master we don’t create Domain and
application partition frequently. So if are Domain Naming Master Server is not available,
we can’t able to create a new Domain and application partition, it may not affect the user,
user event didn’t aware Domain Naming Master Server is down
Infrastructure Master – Infrastructure Master updates the cross domain updates, what
really updates between Domains? Whenever user login to Domain the TGT has been
created with the list of access user got through group membership (user group
membership details) it also contain the user membership details from trusted domain,
Infrastructure Master keep this information up-to-date, it update reference information
every 2 days by comparing its data with the Global Catalog (that’s why we don’t keep
Infrastructure Master and GC in same server) In a single Domain and single Forest
environment there is no impact if the Infrastructure Master server is down
In a Multi Domain and Forest environment, there will be impact and we have enough
time to fix the issue before it affect the end-user
RID Master –Every DC is initially issued 500 RID’s from RID Master Server. RID’s are
used to create a new object on Active Directory, all new objects are created with Security
ID (SID) and RID is the last part of a SID. The RID uniquely identifies a security
principal relative to the local or domain security authority that issued the SID When it
gets down to 250 (50%) it requests a second pool of RID’s from the RID master. If RID
Master Server is not available the RID pools unable to be issued to DC’s and DC’s are
only able to create a new object depends on the available RID’s, every DC has anywhere
between 250 and 750 RIDs available, so no immediate impact
PDC – PDC required for Time sync, user login, password changes and Trust, now you
know why the PDC is important FSMO role holder to get back online, PDC role will
impact the end-user immediately and we need to recover ASAP The PDC emulator
Primary Domain Controller for backwards compatibility and it’s responsible for time
synchronizing within a domain, also the password master. Any password change is
replicated to the PDC emulator ASAP. If a logon request fails due to a bad password the
logon request is passed to the PDC emulator to check the password before rejecting the
login request.

25. What is Active Directory Partitions?

Active Directory partition is how and where the AD information logically stored.

26. What are all the Active Directory Partitions?

o Schema
o Configuration
o Domain
o Application partition
27. What is KCC?

KCC (knowledge consistency checker) is used to generate replication topology for inter
site replication and for intra-site replication. Within a site replication traffic is done via
remote procedure calls over ip, while between sites it is done through either RPC or
SMTP.
28. Explain what intrasite and intersite replication is and how KCC facilitates
replication

The replication of DC’s inside a single site is called intrasite replication whilst the
replication of DC’s on different sites is called Intersite replication. Intrasite replication
occurs frequently while Intersite replication occurs mainly to ensure network bandwidth.

KCC is an acronym for the Knowledge Consistency Checker. The KCC is a process that
runs on all of the Domain Controllers. The KCC allows for the replication topology of
site replication within sites and between sites. Between sites, replication is done through
SMTP or RPC whilst Intersite replication is done using procedure calls over IP.

29. What is group policy?

Group Policy is one of the most exciting -- and potentially complex -- mechanisms that
the Active Directory enables. Group policy allows a bundle of system and user settings
(called a "Group Policy Object" or GPO) to be created by an administrator of a domain or
OU and have it automatically pushed down to designated systems.

Group Policy can control everything from user interface settings such as screen
background images to deep control settings in the client such as its TCP/IP configuration
and authentication settings. There are currently over 500 controllable settings. Microsoft
has provided some templates as well to provide a starting point for creating policy
objects.

A significant advantage of group policy over the old NT-style policies is that the changes
they make are reversed when the policy no longer applies to a system. In NT 4, once a
policy was applied to a system, removing that policy did not by itself roll back the
settings that it imposed on the client. With Windows 2000, when a specified policy no
longer applies to a system it will revert to its previous state without administrative
interference.

Multiple policies from different sources can be applied to the same object. For example, a
domain might have one or more domain-wide policies that apply to all systems in the
domain. Below that, systems in an OU can also have policy objects applied to it, and the
OU can even be further divided into sub-OU's with their own policies.

This can create a very complex web of settings so administrators must be very careful
when creating these multiple layers of policy to make sure the end result -- which is the
union of all of the applicable policies with the "closest" policy taking priority in most
cases -- is correct for that system. In addition, because Group policy is checked and
applied during the system boot process for machine settings and again during logon for
user settings, it is recommended that GPO's be applied to a computer from no more than
five "layers" in the AD to keep reboot and/or login times from becoming unacceptably
long.
30. Why do we need Netlogon?

Maintains a secure channel between this computer and the domain controller for
authenticating users and services. If this service is stopped, the computer may not
authenticate users and services, and the domain controller cannot register DNS records.

31. What are the Groups types available in active directory ?

Security groups: Use Security groups for granting permissions to gain access to
resources. Sending an e-mail message to a group sends the message to all members of the
group. Therefore security groups share the capabilities of distribution groups.

Distribution groups: Distribution groups are used for sending e-mail messages to groups
of users. You cannot grant permissions to security groups. Even though security groups
have all the capabilities of distribution groups, distribution groups still requires, because
some applications can only read distribution groups.

32. Explain about the groups scope in AD?

Domain Local Group: Use this scope to grant permissions to domain resources that are
located in the same domain in which you created the domain local group. Domain local
groups can exist in all mixed, native and interim functional level of domains and forests.
Domain local group memberships are not limited as you can add members as user
accounts, universal and global groups from any domain. Just to remember, nesting cannot
be done in domain local group. A domain local group will not be a member of another
Domain Local or any other groups in the same domain.

Global Group: Users with similar function can be grouped under global scope and can be
given permission to access a resource (like a printer or shared folder and files) available
in local or another domain in same forest. To say in simple words, Global groups can be
use to grant permissions to gain access to resources which are located in any domain but
in a single forest as their memberships are limited. User accounts and global groups can
be added only from the domain in which global group is created. Nesting is possible in
Global groups within other groups as you can add a global group into another global
group from any domain. Finally to provide permission to domain specific resources (like
printers and published folder), they can be members of a Domain Local group. Global
groups exist in all mixed, native and interim functional level of domains and forests.

Universal Group Scope: These groups are precisely used for email distribution and can
be granted access to resources in all trusted domain as these groups can only be used as a
security principal (security group type) in a windows 2000 native or windows server
2003 domain functional level domain. Universal group memberships are not limited like
global groups. All domain user accounts and groups can be a member of universal group.
Universal groups can be nested under a global or Domain Local group in any domain.

33. What is REPLMON?

 The Microsoft definition of the Replmon tool is as follows; This GUI tool enables
administrators to view the low-level status of Active Directory replication, force
synchronization between domain controllers, view the topology in a graphical format,
and monitor the status and performance of domain controller replication.

34. What is NETDOM ?

NETDOM is a command-line tool that allows management of Windows domains and

trust relationships. It is used for batch management of trusts, joining computers to
domains, verifying trusts, and secure channels.

35. Explain about Trust in AD ?

To allow users in one domain to access resources in another, Active Directory uses trusts.
Trusts inside a forest are automatically created when domains are created. The forest sets
the default boundaries of trust, not the domain, and implicit, transitive trust is automatic
for all domains within a forest. As well as two-way transitive trust, AD trusts can be a
shortcut (joins two domains in different trees, transitive, one- or two-way), forest
(transitive, one- or two-way), realm (transitive or nontransitive, one- or two-way), or
external (nontransitive, one- or two-way) in order to connect to other forests or non-AD
domains.

36. Different modes of AD restore ?

A nonauthoritative restore is the default method for restoring Active Directory. To

perform a nonauthoritative restore, you must be able to start the domain controller in
Directory Services Restore Mode. After you restore the domain controller from backup,
replication partners use the standard replication protocols to update Active Directory and
associated information on the restored domain controller.

An authoritative restore brings a domain or a container back to the state it was in at the
time of backup and overwrites all changes made since the backup. If you do not want to
replicate the changes that have been made subsequent to the last backup operation, you
must perform an authoritative restore. In this one needs to stop the inbound replication
first before performing the An authoritative restore.

37. What is OU ?

Organization Unit is a container object in which you can keep objects such as user
accounts, groups, computer, printer . applications and other (OU). In organization unit
you can assign specific permission to the user’s. organization unit can also be used to
create departmental limitation.

38. What is Global Catalog?

 The Global Catalog authenticates network user logons and fields inquiries about objects
across a forest or tree. Every domain has at least one GC that is hosted on a domain
controller. In Windows 2000, there was typically one GC on every site in order to prevent
user logon failures across the network.

39. When should you create a forest?

Organizations that operate on radically different bases may require separate trees with
distinct namespaces. Unique trade or brand names often give rise to separate DNS
identities. Organizations merge or are acquired and naming continuity is desired.
Organizations form partnerships and joint ventures. While access to common resources is
desired, a separately defined tree can enforce more direct administrative and security
restrictions.

40. What is group nesting?

Adding one group as a member of another group is called ‘group nesting’. This will help
for easy administration and reduced replication traffic.

41. How the AD authentication works ?

When a user enters a user name and password, the computer sends the user name to the
Key Distribution Centre (KDC). The KDC contains a master database of unique long
term keys for every principal in its realm. The KDC looks up the user’s master key (KA),
which is based on the user’s password. The KDC then creates two items: a session key
(SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a
second copy of the SA, the user name, and an expiration time. The KDC encrypts this
ticket by using its own master key (KKDC), which only the KDC knows. The client
computer receives the information from the KDC and runs the user’s password through a
one-way hashing function, which converts the password into the user’s KA. The client
computer now has a session key and a TGT so that it can securely communicate with the
KDC. The client is now authenticated to the domain and is ready to access other
resources in the domain by using the Kerberos protocol.

42. What is Global Catalog and its function?

The global catalog is a distributed data repository that contains a searchable, partial
representation of every object in every domain in a multidomain Active Directory
Domain Services (AD DS) forest. The global catalog is stored on domain controllers that
have been designated as global catalog servers and is distributed through multimaster
replication. Searches that are directed to the global catalog are faster because they do not
involve referrals to different domain controllers.

The global catalog provides the ability to locate objects from any domain without having
to know the domain name. A global catalog server is a domain controller that, in addition
 to its full, writable domain directory partition replica, also stores a partial, read-only
replica of all other domain directory partitions in the forest.

Forest-wide searches. The global catalog provides a resource for searching an AD DS

forest. Forest-wide searches are identified by the LDAP port that they use. If the search
query uses port 3268, the query is sent to a global catalog server. User logon. In a forest
that has more than one domain, two conditions require the global catalog during user
authentication: Universal Group Membership Caching: In a forest that has more than one
domain, in sites that have domain users but no global catalog server, Universal Group
Membership Caching can be used to enable caching of logon credentials so that the
global catalog does not have to be contacted for subsequent user logons. This feature
eliminates the need to retrieve universal group memberships across a WAN link from a
global catalog server in a different site.

o In a domain that operates at the Windows 2000 native domain functional level or
higher, domain controllers must request universal group membership enumeration
from a global catalog server.
o When a user principal name (UPN) is used at logon and the forest has more than one
domain, a global catalog server is required to resolve the name.

Exchange Address Book lookups. Servers running Microsoft Exchange Server rely on
access to the global catalog for address information. Users use global catalog servers to
access the global address list (GAL).

43. What are the physical components of Active Directory?

Domain controllers and Sites. Domain controllers are physical computers which is
running Windows Server operating system and Active Directory data base. Sites are a
network segment based on geographical location and which contains multiple domain
controllers in each site.

44. What are the logical components of Active Directory?

Domains, Organizational Units, trees and forests are logical components of Active
Directory.

45. What is RODC? Why do we configure RODC?

Read only domain controller (RODC) is a feature of Windows Server 2008 Operating
System. RODC is a read only copy of Active Directory database and it can be deployed
in a remote branch office where physical security cannot be guaranteed. RODC provides
more improved security and faster log on time for the branch office.

46. What is role seizure? Who do we perform role seizure?

 Role seizure is the action of assigning an operations master role to a new domain
controller without the support of the existing role holder (generally because it is offline
due to a hardware failure). During role seizure, a new domain controller assumes the
operations master role without communicating with the existing role holder. Role seizure
can be done using repadmin.exe and Ntdsutil.exe commands.

47. Tell me few uses of NTDSUTIL commands?

We can use ntdsutil commands to perform database maintenance of AD DS, manage and
control single master operations, Active Directory Backup restoration and remove
metadata left behind by domain controllers that were removed from the network without
being properly uninstalled.

48. A user is unable to log into his desktop which is connected to a domain. What are
the troubleshooting steps you will consider?

Check the network connection on the desktop. Try to ping to the domain controller. Run
and check if name resolution is working. Check Active Directory for the computer
account of the desktop. Compare the time settings on the desktop and Domain controller.
Remove the desktop from domain and rejoin to domain.

49. A Domain Controller called ABC is failing replication with XYZ. How do you
troubleshoot the issue?

Active Directory replication issue can occur due to variety of reasons. For example, DNS
issue, network problems, security issues etc. Troubleshooting can start by verifying DNS
records. Then remove and recreate Domain Controller replication link. Check the time
settings on both replication partners.

50. What do you understand by Garbage Collection? Explain.

Garbage collection is a process of Active Directory. This process starts by removing the
remains of previously deleted objects from the database. These objects are known as
tombstones. Then, the garbage collection process deletes unnecessary log files. And the
process starts a defragmentation thread to claim additional free space. The garbage
collection process is running on all the domain controllers in an interval of 12 hours.

What is Active Directory Directory Services (ADDS)?

1. Active Directory is useful for managing enterprise's user information. It is used for
storing and managing large volume of user credentials.
 2. Active Directory directory Services (ADDS) is used for managing security policies for
users and resources within the network.
3. AD is used for Single Sign On (SSO) allowing / denying access to users based on policy
assigned by the system administrations. So which means the user can sign in once and
can access network resources such as computer, printers, file shares, email, sharepoint
etc.,
4. Administrators can centrally manage the entire network access/security policies from one
place. Admins can provide/revoke access to users/individual resource from one location.

Domain Controllers
1. Servers that control active directories are called domain controllers (DC).
2. A domain controller is a server that is running a version of the Windows Server with
Active Directory Directory System in it.
3. Security Policies are created in domain controllers and it gets propagated to all the
machines in the network.
4. There are two primary type of accounts that are created in Domain Controller. They are
o User Accounts
o Computer Accounts
5. User accounts are used to add users into active directory and computer accounts are used
to add computers/network resources as a member into the domain. Type of information
stored for these type of accounts are described by the schema.

Schema
1. Schema is the attributes that the directory service uses to store data . Schema describes
how data is stored about the user and computers in the database.
2. User accounts and computer accounts are added into the database in designed schema in
domain controllers.

Example:

o user account schema can describe what information is stored for a user account like
email address, username, password, department, role etc.
o For computer account it can have attributes like computer name, sid etc.
3. Schema's are expendable. Additional attributes can be added in later stage if required.

Groups
1. Groups are nothing but collection of user accounts and computer accounts. User accounts
and computer accounts are added to Groups. Working with groups instead of with
individual users helps simplify network maintenance and administration. Groups allows
 setting of permission to users as a whole instead of adding permissions to each individual
users.

Example: if employees in accounting department should have access to a report files,

then the employees in accounting department can be added to a group and the group can
be given permission to the report files so everyone in the group gets access to the file. All
other users can be blocked from accessing the report files.

2. Group Policy Object (GPO) is a collection of settings that define what a system will look
like and how it will behave for a defined group of users.
3. Security policies can be granular. for example Admin can lock down a single user access
to CD drive of the computer or stop user changing desktop background. Lock down what
user can do on specific machines.
4. There are two types of groups in Active Directory:
o distribution groups Distribution groups are used for sending e-mail messages to groups
of users. You cannot grant permissions to security groups. Even though security groups
have all the capabilities of distribution groups, distribution groups still requires, because
some applications can only read distribution groups.
o Security groups Use Security groups for granting permissions to gain access to
resources. Sending an e-mail message to a group sends the message to all members of
the group. Therefore security groups share the capabilities of distribution groups.

Organizational units
1. Organizational units (OU) are containers in which users, groups, computers and other
organization units can be added. OU are for administrative and organizing purposes. An OU is
the smallest scope or unit to which you can assign Group Policy settings or delegate
administrative authority. OU can be used to represent hierarchical and logical structures within
the organization.

Example: An organizational unit can be created to manage the groups/users/computers in

specific branch office and the OU can have an administrator who can administer only that
specific OU.

Domain, Trees and Forest

1. Domain controllers create a domain. All the computers and users connected to a domain
controller is said to be within a single domain.
2. A tree is a collection of domains within a Microsoft Active Directory network.
3. Top of the tree structure is called as the forest. Domain that links and controls all tree. An
Active Directory forest is the highest level of organization within Active Directory. Each
forest shares a single database, a single global address list and a security boundary. By
 default, a user or administrator in one forest cannot access another forest.

Trust
1. Communication between domains occurs through trusts. Trusts are authentication
pipelines that must be present in order for users in one domain to access resources in
another domain.
2. Trusted domain objects (TDOs) are objects that represent each trust relationship within a
particular domain.
3. Sub domains of the forest roots have two way transitive trust established.Transitive trust
is a two-way relationship automatically created between parent and child domains in a
Microsoft Active Directory forest. When a new domain is created, it shares resources
with its parent domain by default, enabling an authenticated user to access resources in
both the child and parent.
 4. Transitive trust allows a user of a sub domain, also access to resources on a different sub
domain under the same forest root. This provides a seamless access to a user between
different domains.
5. Explicit one way trust is used to enable trust between two Active directory forests. In
which user from primary AD can access the other network but not vice vera. One way
explict trust is established by secondary AD trusting the primary AD. So then the user
from Primary AD can be added to secondary AD groups to access resources in secondary
Domain.

Type of Trusts

There are 2 classification of trust. They are

 Default Trust
 Explicit Trust (Other Trust)
Default Trust

Two-way, transitive trusts are automatically created when a new domain is added to a domain
tree or forest root domain

1. Tree root trust is automatically/implicitly created when a new tree root domain is added to a
forest. The trust relationship exists between two root domains within the same forest. For
instance, if there is an existing forest root domain, and a new tree root domain is added to the
same forest, tree root trust is formed between the new tree root domain and the existing forest
root domain. Tree root trust is transitive and two way.
2. Parent and child - when a new child domain is added to an existing domain tree, a new parent
and child trust is established

Other Trust

Four other types of trusts can be created using the New Trust Wizard manually: external, realm,
forest, and shortcut trusts.

1. External trust: An administrator explicitly defines the external trust to enable trust
between domains that are located in different forests and to create trust between an
Active Directory domain and a down-level Windows NT 4 domain. External trust is
always non-transitive but can be either one-way trusts or two-way trusts. External trust is
usually only created in Active Directory environments when users need to access network
resources in a domain that resides in a different forest and forest trust cannot be created
between the two domains. When external trust is created between an Active Directory
domain and a down-level Windows NT 4 domain, it is a one-way, non-transitive trust
relationship.
2. Forest trust: An Administrator explicitly created Forest trust to enable trust between two
Active Directory forests. Forest trust is transitive in nature and can either be one-way or
two-way. Because forest trust is created between two root domains of two forests, it can
create two way trusts with each domain within the two forests. This basically means that
users would be able to access Active Directory objects between all domains encompassed
by the particular forest trust relationship.
3. Shortcut trust: An administrator explicitly creates a shortcut trust and is either a one
way transitive trust or two way transitive trust. Shortcut trust is usually created when
users want to speed up or enhance authentication performance between two domains in
different trees but within the same forest. One way shortcut trust should be created when
users in Domain1 need to access Active Directory objects in Domain2 but users in
Domain2 do not need to access objects in Domain1. Two way shortcut trust should be
created when users in each domain need to access objects in each other’s domain.
4. Realm trust: An administrator explicitly creates realm trust and it can be defined as
either a transitive or non-transitive trust. It can also either be a one way or two way trust.
Realm trust enables users to create a trust relationship between a Windows Server 2003
Active Directory domain and a non-Windows Kerberos version 5 realm. Realm trust
therefore facilitates interoperability between a Windows Server 2003 domain and a realm
used in Kerberos version 5 implementations.