1. Define clean PC in Active Directory?

A clean PC is defined as a computer with only the following items on it before you run Discover:
★ The operating system
★ The service packs for the operating system
If you install Veritas Software Console on the computer, it is by definition no longer a clean PC. You must install Veritas Software Console somewhere, but not on the clean PC.

2. How to create a Third-Party MSI package in Active Directory?

1) Start with a clean PC, or one that is representative of the computers in your network.
2) Start Discover to take a picture of the representative PC's software configuration. This
is the Before snapshot.
3) Install a program on the PC on which you took the Before snapshot.
4) Reboot the PC.
5) Run the new program to verify that it works.
6) Quit the program.
7) Start Discover and take an After snapshot of the PC's new configuration. Discover compares the Before and the After snapshots and notes the changes. It creates a Microsoft Installer package with information about how to install that program on such a PC in the future.
8) (Optional) Use Veritas Software Console to customize the Microsoft Installer package.
9) Clean the reference computer to prepare to run Discover again.
10) (Optional) Perform a test installation of the program on non-production workstations.

3. How to create a Site link in Active Directory?

To create a new site link:
1) Click Active Directory Sites and Services.
2) Expand the Inter-Site Transports node, right-click IP (or click SMTP if you want to
use SMTP as the inter-site transport protocol), and then click New Site Link. If you have only one site in Active Directory, you receive a message that states that two sites are required for the site link to work. Click OK to continue.

4. How to allow only secure dynamic updates?

1) Click Start, point to Programs, point to Administrative Tools, and then click DNS.
2) Under DNS, expand the applicable DNS server, expand Forward Lookup Zones (or Reverse Lookup Zones) , and then click the applicable zone.
3) On the Action menu, click Properties.
4) On the General tab, verify that the zone type is Active Directory-integrated.
5) In the Allow dynamic updates? box, click Only secure updates.

5. How to set the Aging feature on an individual zone?

1) Right-click the zone, and then click Properties.
2) Click Aging.
3) Click to select the Scavenge Stale Resource Records check box, and then set the interval that you want the Aging feature to use.
If the Aging feature is not enabled at the server level, and you attempt to enable the Aging feature at the zone level, the Aging feature does not work. After you select the appropriate aging periods and you enable the Scavenging feature on the server, outdated records are scavenged.

6. How to enable Aging and Scavenging?

1) Open the DNS manager.
2) In the left pane, under the DNS icon, right-click the server name.
3) Click Set Aging/Scavanging for all zones.
4) Click to select the Scavenge Stale Resource Records check box, and then set the interval that you want the Aging feature to use.

7. How to configure the Windows 2000 Domain Name System to age records?

When any records are orphaned, dynamic DNS on a Windows 2000-based server does not age these records by renaming them or by moving computers to different subnets out of their zones, unless the server is configured to perform this task. Orphans can occur if a group of computers are installed from an image, and then renamed at a later time on another subnet. The reverse look up pointers may not be deleted if the computer is disconnected from the network immediately after the installation. The automatic deletion of these records is possible by enabling the Aging and Scavenging feature on the DNS server.

8. How to configure the Reverse Lookup Zone?

1) Click Start, point to Programs, point to Administrative Tools, and then click DNS.
2) In the console tree, click Host name (where Host name is the host name of the DNS server).
3) In the console tree, click Reverse Lookup Zones.
4) Right-click Reverse Lookup Zones, and then click New Zone.
5) When the New Zone Wizard starts, click Next to continue.
6) Click Standard secondary, and then click Next. In the Network ID box, type the network ID (for example, type 192.168.0), and then click Next.
7) On the Zone File page, click Next, and then click Finish.

9. How to configure the Forward Lookup Zone?

1) Open the DNS MMC in the Secondary Name Server.
2) In the console tree, under DNS, click Host name (where Host name is the host name of the DNS server).
3) In the console tree, click Forward Lookup Zones.
4) Right-click Forward Lookup Zones, and then click New Zone.
5) When the New Zone Wizard starts, click Next to continue.
6) Click Standard secondary, and then click Next.
7) In the Name box, type the name of the zone (for example, example.com), and then click Next.
8) On the Master DNS Servers page, type the IP address of the primary name server for this zone, click Add, click Next, and then click Finish.

10. How to configure a secondary Name Server in Windows 2000?

1) Open DNS MMC.
2) In the console tree, click Host name (where Host name is the host name of the DNS server).
3) In the console tree, click Forward Lookup Zones.
4) Right-click the zone that you want (for example, example.com), and then click Properties.
5) Click the Name Servers tab, and then click Add.
6) In the Server name box, type the host name of the server that you want to add, for example, namesvr2.example.com.
7) In the IP address box, type the IP address of the name server that you want to add (for example, 192.168.0.22), and then click Add.
8) Click OK, and then click OK.
9) In the console tree, click Reverse Lookup Zones, right-click the zone that you want, and then click Properties.
10) Click the Name Servers tab, and then click Add.
11) In the Server name box, type the host name of the server that you want to add, for example, namesvr2.example.com.
12) In the IP address box, type the IP address of the name server that you want to add (for example, 192.168.0.22), and then click Add.
13) Click OK, and then click OK.

Download Interview PDF

11. How to create a DNS entry for the Web Server?

1) Start the DNS snap-in.
2) Under DNS, expand Server1 (where Server1 is the host name of the DNS server). Expand Forward Lookup Zones.
4) Under Forward Lookup Zones, right-click the zone that you want (for example, Microsoft.com), and then click New Alias.
5) In the Alias name box, type www.
6) In the Fully qualified name for target host box, type the fully qualified host name of the DNS server on which IIS is installed. For example, type dns.microsoft.com, and then click OK.

12. How to enable DNS Dynamic Updates on a DHCP Server?

1) Select the scope or DHCP server on which you want to permit dynamic DNS updates.
2) On the Action menu, click Properties, and then click the DNS tab.
3) Click to select the Automatically Update DHCP Client Information In DNS check box.
4) To update a client's DNS records based on the type of DHCP request that the client makes and only when it is requested, click Update DNS Only If DHCP Client Requests.
5) To always update a client's forward and reverse lookup records, click Always Update DNS.
6) Click to select the Discard Forward Lookups When Leases Expire check box to have the DHCP server delete the Host resource record for a client when its DHCP lease expires and is not renewed.
7) Click to select the Enable Updates For DNS Clients That Do Not Support Dynamic Updates check box to enable the DHCP server to update the forward and reverse lookup records for clients that cannot update their own forward lookup records. If you do not select this check box, the DHCP server does not automatically update the DNS records of non-Windows 2000 clients.

13. How to Configure DNS Dynamic Update on a Windows 2000 DHCP Server?

1) Click Start, point to Programs, point to Administrative Tools, and then click DHCP.
2) Click the appropriate DHCP server or a scope on the appropriate DHCP server.
3) On the Action menu, click Properties.
4) Click the DNS tab.
5) To enable DNS dynamic update for DHCP clients that support it, click to select the Automatically update DHCP client information in DNS check box. This check box is selected by default.
6) To enable DNS dynamic update for DHCP clients that do not support it, click to select the Enable updates for DNS clients that do not support dynamic updates check box. This check box is selected by default.

14. How to configure DNS Dynamic Update on a Windows 2000 DNS Server?

1) Click Start, point to Programs, point to Administrative Tools, and then click DNS.
2) Click the appropriate zone under either Forward Lookup Zones or Reverse Lookup Zones.
3) On the Action menu, click Properties.
4) On the General tab, verify that the zone type is either Primary or Active Directory integrated.
5) If the zone type is Primary, click Yes in the Allow dynamic updates? list.
6) If the zone types is Active Directory-integrated, click either Yes or Only secure updates in the Allow dynamic updates? list, depending on whether you want DNS dynamic updates to be secure.

15. How to configure DNS dynamic update on a Windows 2000 DNS client computer?

1) Click Start, point to Settings, and then click Network and Dial-up Connections.
2) Right-click the network connection that you want to configure, and then click Properties.
3) Click either the General tab (for the local area connection) or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties.
4) Click Advanced, and then click the DNS tab.
5) To use DNS dynamic update to register both the IP addresses for this connection and the full computer name of the computer, click to select the Register this connection's addresses in DNS check box. This check box is selected by default.
6) To configure a connection-specific DNS suffix, type the DNS suffix in the DNS suffix for this connection box.
7) To use DNS dynamic update to register the IP addresses and the connection-specific domain name for this connection, click to select the Use this connection's DNS suffix in DNS registration check box. This check box is selected by default.

16. How Windows 2000-Based Computers Update Their DNS Names?

Windows 2000 computers try to dynamically register host address (A) and pointer (PTR) resource records. All computers register records based on their full computer name. Dynamic updates can be sent for any of the following reasons or events:
★ An IP address is added, removed, or modified for any one of the installed network connections.
★ An IP address lease changes or renews. For example, if you use the ipconfig /renew command.
★ You use the ipconfig /registered command to manually force a refresh of the client name registration in DNS.
★ At startup time, when the computer is turned on.
When one of these events triggers a dynamic update, the DHCP Client service (not the DNS Client service) sends updates. This process is designed so that if a change to the IP address information occurs because of DHCP, corresponding updates in DNS are performed to synchronize name-to-address mappings for the computer. The DHCP Client service performs this function for all network connections used on the system, including connections that are not configured to use DHCP.

17. How to configure DNS dynamic update in Windows 2000?

The DNS service allows client computers to dynamically update their resource records in DNS and improves DNS administration. You can use DDNS in conjunction with DHCP to update resource records when a computer's IP address is changed.

18. Do you know how to set up DNS for a child domain?

To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server. Set the child DNS server to point to itself only.

19. How do I set up DNS for other DCs in the domain that are running DNS?

For each additional DC that is running DNS, the preferred DNS setting is the parent DNS server (first DC in the domain), and the alternate DNS setting is the actual IP address of network interface.

20. Tell me what should I do if the DC points to itself for DNS, but the SRV records still do not appear in the zone?

Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support Tools from the Windows 2000 Server CD-ROM to run Netdiag.exe.

21. Tell me what if my Windows 2000 or Windows Server 2003 DNS server is behind a proxy server or firewall?

If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53 should be open on the proxy server or firewall.

22. Tell me should I point the other Windows 2000-based and Windows Server 2003-based computers on my LAN to my ISP's DNS servers?

No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the DC in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 DC running DNS. If you are using DHCP, make sure that you view scope option #15 for the correct DNS server settings for your LAN.

23. Tell me do I need to point computers that are running Windows NT 4.0 or Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows 98 Second Edition to the Windows 2000 or Windows Server 2003 DNS server?

Legacy operating systems continue to use NetBIOS for name resolution to find a DC; however it is recommended that you point all computers to the Windows 2000 or Windows Server 2003 DNS server for name resolution.

24. How to synchronies time amongst DCs using net time?

★ Net time mypdc /set /y
★ This synchronizes the local computer time with the server named Mypdc.
★ The /set - Time not only be queried, but synchronized with the specified server.
★ The /y switch skips the confirmation for changing the time on the local computer

25. Tell me do I need to configure forwarders in DNS?

By default, Windows 2000 DNS use the root hint servers on the Internet; however, you can configure forwarders to send DNS queries directly to your ISP's DNS server or other DNS servers. In most cases, when you configure forwarders, DNS performance and efficiency increases, but this configuration can also introduce a point of failure if the forwarding DNS server is experiencing problems. The root hint server can provide a level of redundancy in exchange for slightly increased DNS traffic on your Internet connection.

Download Interview PDF

26. Do you know what is the "." zone in my forward lookup zone?

This setting designates the Windows 2000 DNS server to be a root hint server and is usually deleted. If you do not delete this setting, you may not be able to perform external name resolution to the root hint servers on the Internet.

27. Suppose if I remove the ISP's DNS server settings from the DC, how does it resolve names such as Microsoft.com on the Internet?

As long as the "." zone does not exist under forward lookup zones in DNS, the DNS service uses the root hint servers. The root hint servers are well-known servers on the Internet that help all DNS servers resolve name queries.

28. Tell me why can't I use WINS for name resolution like it is used in Microsoft Windows NT 4.0?

A Windows 2000 DC does not register Active Directory-related information with a WINS server; it only registers this information with a DNS server that supports dynamic updates such as a Windows 2000 DNS server. Other Windows 2000-based computers do not query WINS to find Active Directory-related information.

29. Do you know what does a DC register in DNS?

The Netlogon service registers all the SRV records for that DC. These records are displayed as the _msdcs, _sites, _tcp, and _udp folders in the forward lookup zone that matches your domain name. Other computers look for these records to find Active Directory-related information.

30. Do you know why do I have to point my DC to itself for DNS?

The Netlogon service on the DC registers a number of records in DNS that enable other DCs and computers to find Active Directory-related information. If the DC is pointing to the Internet service provider's (ISP) DNS server, Netlogon does not register the correct records for Active Directory, and errors are generated in Event Viewer. The preferred DNS setting for the DC is itself; no other DNS servers should be listed. The only exception to this rule is with additional DCs. Additional DCs in the domain must point to the first DC (which runs DNS) that was installed in the domain and then to themselves as secondary.

31. Do you know what are the common mistakes that are made when administrators set up DNS on network that contains a single Windows 2000 or Windows Server 2003 DC?

The most common mistakes are:
★ The DC is not pointing to itself for DNS resolution on all network interfaces.
★ The "." zone exists under forward lookup zones in DNS.
★ Other computers on the local area network (LAN) do not point to the Windows 2000 DNS server for DNS.

32. Define Attribute value?

An object's attribute is set concurrently to one value at one master, and another value at a second master.

33. How to create Third-Party Microsoft installer package?

If you want to install a third-party program by using this method, you must install a copy of Veritas Software Console by Seagate Software at a location that is accessible by the reference computer. This program is available on the Windows 2000 CD-ROM in Valueadd3rdpartyMgmtWinstleSwiadmle.msi. This includes a copy of WinINSTALL limited edition, which allows for basic functionality.

34. Distinguishing a DC from a Windows 2000 member server?

★ The NTDS registry key exists in the HKLMSYSTEMCCSSERVICES portion of the registry.
★ The SYSVOL and NETLOGON shares exist. (The SYSVOL share and its contents exist after demotion of a DC.)
★ NBTSTAT shows that the 1C name (Domain) has been registered. Type nbtstat -n from a command prompt and note the presence of the 1C name.
★ The computer role from the NET ACCOUNTS utility lists the computer role as "PRIMARY" and standalone servers as "SERVERS." Type net accounts from the command prompt.
★ The NET START command indicates that the Kerberos Key Distribution Center (KDC) service is running. Type net start |more.
★ The computer responds to LDAP queries (specifically, to port 389 or 3268).
★ The "Connect to server %S" command in Ntdsutil.exe functions only against Windows 2000 DCs.
★ The Change button on the Network Identification tab in My Computer is disabled when Windows 2000 is configured as a DC. A note appears indicating this.
★ Run Netdiag (a Resource Kit utility) and observe the "Machine is a Primary DC" entry in the output. Type netdiag /v from the command prompt.

35. How to configure a one-way trust?

Perform the following steps to configure the one-way trust:
1) On a domain controller in the trusted domain, start the Active Directory Domains and Trusts console.
2) In the Domains that trust this domain pane, click Add.
3) In the Add Trusting Domain dialog box, type the name of the trusting domain, type a password, and then type the password again in the Confirm password box.
4) Click OK.
5) In the Active Directory dialog box, click OK to verify the trust.
6) Enter a user name and password of a user that has permissions to modify trust relationships in the trusting domain.

36. How to configure auditing for specific active directory objects?

You can configure auditing for specific objects, such as users, computers, organizational units, or groups, by specifying both the types of access and the users whose access that you want to audit. To configure auditing for specific Active Directory objects, follow these steps:
1) Open Active Directory Users and Computers.
2) Select Advanced Features on the View menu.
3) Right-click the Active Directory object that you want to audit, and then click Properties.
4) Click the Security tab, and then click Advanced.
5) Click the Auditing tab, and then click Add.
6) Enter the name of either the user or the group whose access you want to audit. Click to select either the Successful check box or the Failed check box for the actions that you want to audit, and then click OK.

37. How will you remove Orphaned Domains from Active Directory?

Typically, when the last DC for a domain is demoted, the administrator selects this server is the last DC in the domain option in the DC Promo tool, which removes the domain metadata from Active Directory.
1) Determine the DC that holds the Domain Naming Master FSMO role.
2) Verify that all servers for the specified domain have been demoted.
3) At the command prompt:
★ ntdsutil
★ metadata cleanup
★ connections
★ connect to server servername

38. How to seize the schema master role?

1) Click Start, click Run, and then type cmd.
2) At the command prompt, type ntdsutil.
3) At the ntdsutil prompt, type roles.
4) At the fsmo maintenance prompt, type connections.
5) At the server connections prompt, type connect to server, followed by the fully qualified domain name.
6) At the server connections prompt, type quit.
7) At the fsmo maintenance prompt, type seize schema master.
8) At the fsmo maintenance prompt, type quit.
9) At the ntdsutil prompt, type quit.

39. Define computer acccounts in Active Directory?

Each computer account created in Active Directory has a relative distinguished name, a preWindows 2000 computer name (SAM account name), a primary DNS suffix, a DNS host name and a service principal name. This computer name is used as the LDAP relative distinguished name.
Active Directory suggests the pre-Windows 2000 name using the first 15 bytes of the relative distinguished name. This can be changed at any time. The primary DNS suffix defaults to the full DNS name of the domain to which the computer is joined. The DNS host name is built from the first 15 characters of the relative distinguished name + the primary DNS suffix. The service principal name is built from the DNS host name. The service principal name is used in the process of mutual authentication between the client and the server hosting a particular service. The client finds a computer account based on the service principal name of the service to which it is trying to connect.

40. Define user accounts in Active Directory?

In Active Directory, each user account has a user logon name, a pre-Windows 2000 user logon name (SAM account name), and a user principal name suffix. Active Directory suggests a pre-Windows 2000 user logon name using the first 20 bytes of the user logon name.

Download Interview PDF

41. How to change the recovery console administrator password on a DC?

1) In a DC use the %systemroot%system32Setpwd.exe (SP2 or Later) utility to change the SAM-based Administrator password. To change the SAM Administrator password on a remote DC, type the following command
Setpwd /s: servername
2) Restart the DC in Directory Service Restore Mode. Use the command net user administrator * or Local User and Groups
Who can "Log On locally" to a DC
By default Account Operators, Administrators, Backup Operators, Print Operators, Server Operators, Internet Guest Account, and Terminal Services User Account are assigned the log on locally right.

42. Do you know how Kerberos V5 works?

The Kerberos V5 authentication mechanism issues tickets (A set of identification data for a security principle, issued by a DC for purposes of user authentication. Two forms of tickets in Windows 2000 are ticket-granting tickets (TGTs) and service tickets) for accessing network services. These tickets contain encrypted data, including an encrypted password, which confirms the user's identity to the requested service.

43. What is Kerberos V5 authentication process?

Kerberos V5 is the primary security protocol for authentication within a domain. The Kerberos V5 protocol verifies both the identity of the user and network services. This dual verification is known as mutual authentication.

44. What is Loop back Processing of group policy?

Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loop back feature to apply GPOs that depend only on which computer the user logs on to.

45. How to configure an authoritative time server in Windows 2000?

Windows includes the W32Time time service tool that is required by the Kerberos authentication protocol. The purpose of the Time service is to ensure that all computers that are running Windows 2000 in an organization use a common time.
Windows-based computers use the following hierarchy by default:
• All client PCs and member servers nominate the authenticating DC as their in-bound time Server.
• DCs may nominate the PDC operations master as their in-bound time partner but may use a parent DC based on stratum numbering.
• All PDC operations masters follow the hierarchy of domains in the selection of their inbound time partner.
PDC operations master at the root of the forest becomes authoritative for the organization. This PDC can be configured to recognize an external Simple Network Time Protocol (SNTP) time server as authoritative by using the following net time command:
Net time /setsntp: server_list

To reset the local computer's time against the authoritative time server for the domain:
Net time /domain_name /set
Net stop w32time
W32tm -once
Net start w32time

SNTP defaults to using UDP port 123. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers. Administrators can also configure an internal time server as authoritative by using the net time command. If the administrator directs the command to the operations master, it may be necessary to reboot the server for the changes to take effect.

46. How to publish a printer in AD?

1) Log on to the computer as an administrator.
2) Click Start, point to Settings, and then click Printers.
3) In the Printers folder, right-click the printer that you want to publish in Active Directory, and then click Properties.
4) Click the Sharing tab, click Share As, and then either type a share name or accept the default name. Use only letters and numbers; do not use spaces, punctuation, or special characters.
5) Click to select the List in the Directory check box, and then click OK.
6) Close the Printers folder.

47. How to create a container to list printers in Active Directory?

To create a Printers container in which to list your printers in Active Directory:
1) Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
2) Expand Domain NC [Domain Name], and then click DC=Domain, DC=com.
3) On the Action menu, point to New, and then click Object.
4) In the Select a class box, click container, and then click Next.
5) In the Value box, type Printers, and then click Next.
6) Click Finish.

A CN=Printers container appears in the right pane of ADSI Edit.
1) Right-click CN=Printers, and then click Properties.
2) Click the Attributes tab.
3) In the Select a property to view box, click "show In Advanced View Only", and then click Clear.
4) In the Edit Attribute box, type false, click Set, and then click OK.
5) Quit ADSI Edit.
6) Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. The Printers container that you created appears in the list of directory objects.
7) On the View menu, click Advanced Features.
8) On the View menu, click Users, Groups, and Computers as containers.
9) Move the printers that you want to the Printers container.
10) Quit Active Directory Users and Computers.

48. Define the Schema master failure?

Temporary loss of the schema operations master will be visible only if we are trying to modify the schema or install an application that modifies the schema during installation. A DC whose schema master role has been seized must never be brought back online.

49. How to responding operations master failures?

Some of the operations master roles are crucial to the operation of your network. Others can be unavailable for quite some time before their absence becomes a problem If an operations master is not available due to computer failure or network problems, you can seize the operations master role.
In general, seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again.

50. How to place the FSMO roles?

★ Place the RID and PDC emulator roles on the same domain controller. Good communication from the PDC to the RID master is desirable as down-level clients and applications target the PDC, making it a large consumer of RIDs.
★ As a general rule, the infrastructure master should be located on a non-global catalog server that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site.

51. Describe the Infrastructure FSMO role?

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.

52. List the FSMO roles?

★ Schema master
★ Domain naming master
★ RID master
★ PDC emulator
★ Infrastructure daemon

53. Define the single master operations?

Active Directory supports multi-master replication of the directory data between all DCs in the domain. Some changes are impractical to perform in multi-master fashion, so only one DC, called the operations master, accepts requests for such changes. Because the operations master roles can be moved to other DCs within the domain or forest, these roles are sometimes referred to as Flexible Single Master Operations. In any Active Directory there are five operations master roles. Some roles must appear in every forest. Other roles must appear in every domain in the forest.

54. Define the Infrastructure master role?

The infrastructure master is responsible for updating the group-to-user references whenever the members of groups are renamed or changed. At any time, there can be only one DC acting as the infrastructure master in each domain. When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The infrastructure master of the group's domain is responsible for updating the group so it knows the new name or location of the member. The infrastructure master distributes the update via multi-master replication.
There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency.

55. Define PDC emulator role?

For pre-W2K clients, the PDC emulator acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the BDCs.
In native-mode, the PDC emulator receives preferential replication of password changes performed by other DCs in the domain. If a password was recently changed, that change takes time to replicate to every DC in the domain. If a logon authentication fails at another DC due to a bad password, that DC will forward the authentication request to the PDC emulator before rejecting the log on attempt.

Download Interview PDF

56. Define Relative ID master role?

The RID master allocates pool of relative IDs to each DC in its domain. Whenever a DC creates a user, group, or computer object, it assigns a unique security ID to that object. The security ID consists of a domain security ID (that is the same for all security IDs created in the domain), and a relative ID that is unique for each security ID created in the domain. To move an object between domains (using Movetree.exe), you must initiate the move on the DC acting as the relative ID master of the domain that currently contains the object.

57. Define Domain-Wide operations master roles?

Every domain in the forest must have the following roles:
★ Relative ID master
★ Primary DC (PDC) emulator
★ Infrastructure master
Each domain in the forest can have only one RID master, PDC Emulator, and Infrastructure Master.

58. Define Forest-Wide operations master roles?

Every Active Directory forest must have the following roles:
★ Schema master
★ Domain naming master
There can be only one schema master and one domain naming master for the entire forest.

59. Define Schema master role?

The schema master DC controls all updates and modifications to the schema.

60. Define the Domain naming master role?

Domain Naming Master DC controls the addition or removal of domains in the forest.

61. Do you know why GC and infrastructure master should not be on the same server?

The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog's data will always be up-to-date. If the infrastructure master finds data that is out-of-date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain.
★ If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so will never replicate any changes to the other domain controllers in the domain.
★ If all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role.

62. Suppose if a user is a member of the Domain Admins group, Did he able to log on to the network even when a global catalog is not available?

The global catalog is designed to respond to queries about objects anywhere in the forest with maximum speed and minimum network traffic. Because a single global catalog contains information about objects in all domains in the forest, a query about an object can be resolved by a global catalog in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain
boundaries.
You can optionally configure any domain controller to host a global catalog, based on your organization's requirements for servicing logon requests and search queries. After additional domain controllers are installed in the domain, you can change the default location of the global catalog to another domain controller using Active Directory Sites and Services.

63. What is the role of Global Catalog Server in a Domain?

By default, a global catalog is created automatically on the initial domain controller in the forest. It stores a full replica of all objects in the directory for its host domain and a partial replica of all objects contained in the directory of every other domain in the forest. The replica is partial because it stores some, but not all, of the property values for every object in the forest.

64. Define the global catalog key directory roles?

When a user logs on to the network, the global catalog provides universal group membership information for the account sending the logon request to the domain controller. If there is only one domain controller in the domain, the domain controller and the global catalog are the same server. If there are multiple domain controllers in the network, the global catalog is hosted on the domain controller configured as such. If a global catalog is not available when a user initiates a network logon process, the user is only able to log on to the local computer.

65. Define Replication in Active Directory?

Site streamlines replication of directory information and reduces replication traffic.
Site membership is determined differently for domain controllers and clients. A client determines it is in when it is turned on, so its site location will often be dynamically updated. A domain controller's site location is established by which site its Server object belongs to in the directory, so its site location will be consistent unless the domain controller's Server object is intentionally moved to a different site.

66. List the GC key directory roles?

★ It enables network logon by providing universal group membership information to a DC when a logon process is initiated.
★ It enables finding directory information regardless of which domain in the forest actually contains the data.

67. What is GC in Active Directory?

GC is created automatically on the first DC in the forest. It stores a full replica of all objects in the directory for its host domain and a partial replica of all objects of every other domain in the forest. The replica is partial because it stores only some attributes for each objects.

68. Define Service requests in Active Directory?

When a client requests a service from a domain controller, it directs the request to a domain controller in the same site. Selecting a domain controller that is well-connected to the client makes handling the request more efficient.

69. Define Active Directory Classes?

Classes, also referred to as object classes; describe the possible directory objects that can be created. Each class is a collection of attributes. When you create an object, the attributes store the information that describes the object. The User class, for example, is composed of many attributes, including Network Address, Home Directory, and so on. Every object in Active Directory is an instance of an object class.

70. What are the advantages of Active Directory Sites?

Active Directory Sites and Services allow you to specify site information. Active Directory uses this information to determine how best to use available network resources.

Download Interview PDF

71. Define Active Directory Sites?

Site consists of one or more IP subnets connected by a high speed link. Wide area networks should employ multiple sites for efficiently handling servicing requests and reducing replication traffic. Sites map the physical structure of your network whereas domains generally map the logical structure of your organization.
Active Directory Sites and Services allow you to specify site information. Active Directory uses this information to determine how best to use available network resources.

72. Define Active Directory schema?

The Active Directory schema is the set of definitions that defines the kinds of objects, and the types of information about those objects, that can be stored in Active Directory. The definitions are themselves stored as objects so that Active Directory can manage the schema objects with the same object management operations used for managing the rest of the objects in the directory.
There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata.

73. Define Active Directory Schema Attributes?

Attributes are defined separately from classes. Each attribute is defined only once and can be used in multiple classes. For example, the Description attribute is used in many classes, but is defined once in the schema, assuring consistency.

74. Define domain Trees in Active Directory?

Tree is a hierarchical arrangement of W2K domains that share a contiguous name space. The first domain in a domain tree is called the root domain. Additional domains in the same domain tree are child domains. A domain immediately above another domain in the same domain tree is referred to as the parent of the child domain. The name of the chills domain is combined with its parent domain to form its DNS name. Every child domain has a two two-way, transitive trust relationship with its parent domain Because these trust relationships are two-way and transitive, a Windows 2000 domain newly created in a domain tree or forest immediately has trust relationships established with every other Windows 2000 domain in the domain tree or forest.
These trust relationships allow a single logon process to authenticate a user on all domains in the domain tree or forest. This does not necessarily mean that the authenticated user has rights and permissions in all domains in the domain tree. Because a domain is a security boundary, rights and permissions must be assigned on a per-domain basis.

75. Define Domain Forests in Active Directory?

A forest consists of multiple domain trees. The domain trees in a forest do not form a contiguous namespace but share a common schema and GC. The forest root domain is the first domain created in the forest. The root domains of all domain trees in the forest establish transitive trust relationships with the forest root domain. This is necessary for the purposes of establishing trust across all the domain trees in the forest. All of the Windows 2000 domains in all of the domain trees in a forest share the following traits:
★ Transitive trust relationships between the domains
★ Transitive trust relationships between the domain trees
★ A common schema
★ Common configuration information
★ A common global catalog
Using both domain trees and forests provides you with the flexibility of both contiguous and non-contiguous naming conventions. This can be useful in, for example, companies with independent divisions that must each maintain their own DNS names.

76. Define EDB.CHK?

This is the checkpoint file used to track the data not yet written to database file. This indicates the starting point from which data is to be recovered from the log file, in case of failure.

77. Define EDB.LOG?

This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to EDBnnnn.log. Where nnnn is the increasing number starting from 1.

78. How to do Offline Defragmentation of Active Directory?

Active Directory routinely performs online database defragmentation, but this is limited to the disposal of tombstoned objects. The database file cannot be compacted while Active Directory is mounted.
To defrag ntds.dit offline:
★ Back up System State in the backup wizard.
★ Reboot and select Directory Services Restore Mode.
★ At the command prompt:
★ Ntdsutil
★ Files
★ Info
This will display current information about the path and size of the Active Directory database
and its log files.
Compact to D:DbBackup

You must specify a directory path and if the path name has spaces, the command will not work unless you use quotation marks:
Quit (till you reach the command prompt)
A new compacted database named Ntds.dit can be found in D:DbBackup.
Copy the new ntds.dit file over the old ntds.dit file. You have successfully compacted the Active Directory database.

79. What is Offline Defragmentation in Active Directory?

Offline Defragmentation is done by taking the server offline and use Ntdsutil.exe to defragment the database. This approach requires that the ADS database be started in repair mode. The advantage to this method is that the database is resized, unused space is removed, and the size is reflected by the Ntds.dit file.

80. What is Schema Configuration in Active Directory?

Configuration data about forest and trees. Replicates to all DCs. Static as your forest is.

81. What is Schema information in Active Directory?

Definitional details about objects and attributes that one CAN store in the AD. Replicates to all DCs. Static in nature.

82. What is Online Defragmentation in Active Directory?

Online Defragmentation method that runs as part of the garbage collection process. The only advantage to this method is that the server does not need to be taken offline for it to run. However, this method does not shrink the Active Directory database file (Ntds.dit).

83. List the main steps of Garbage collection process?

★ Removing "tombstones" from the database. Tombstones are remains of objects that have been previously deleted.
★ Deletion of any unnecessary log files.
★ The process launches a defragmentation thread to claim additional free space.

84. What is ADS Database garbage collection process?

Garbage Collection is a process that is designed to free space within the Active Directory database. This process runs independently on every DC with a default lifetime interval of 12 hours.

85. Define Res1.log and Res2.log?

This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction log files enough room to shutdown if the other spaces are being used.

Download Interview PDF

86. What is Domain information in Active Directory?

Object information for a domain. Replicates to all DCs within a domain. The object portion becomes part of GC. The attribute values only replicates within the domain.

87. How many types of Active Directory data?

★ Active Directory has three types of data:
★ Schema information
★ Configuration information
★ Domain information

88. What is NTDS.DIT Data table?

Data Table users, groups, application-specific data, and any other data stored in the Active Directory.

89. What is NTDS.DIT Link table?

Link Table contains linked attributes, which contain values referring to other objects in the Active Directory. Take the Member Of attribute on a user object. That attribute contains values that reference groups to which the user belongs. This is also far smaller than the data table.

90. What is NTDS.DIT schema table?

The types of objects that can be created in the Active Directory, relationships between them, and the attributes on each type of object. This table is fairly static and much smaller than the data table.

91. What is NTDS.DIT?

This is the AD database and stores all AD objects. Default location is SystemRoot%ntdsNTDS.DIT.
Active Directory's database engine is the Extensible Storage Engine which is based on the Jet database and can grow up to 16 TB.

92. How to verifying database and Log files?

Make sure that the following files are there at %systemroot%ntds
Ntds.dit, Edb.*, Res*.log

93. How to Verifying SYSVOL?

If SYSVOL folder is not properly created data stores in SYSVOL such are scripts, GPO, etc will not be replicated between DCs.
First verify the following folder structure is created in SYSVOL.
★ Domain
★ Staging
★ Staging areas
★ Sysvol
Then verify necessary shares are created.

94. How will you verify whether the AD installation is proper with SRV resource records?

Verify SRV Resource Records:
After AD is installed, the DC will register SRV records in DNS when it restarts. We can check this using DNS MMC or nslookup command.

95. What is the minimum requirement for installing AD?

★ Windows Server, Advanced Server, Data center Server
★ Minimum Disk space of 200 MB for AD and 50 MB for log files
★ NTFS partition
★ TCP/IP Installed and Configured to use DNS
★ Administrative privilege for creating a domain in existing network

96. What is Lightweight Directory Access Protocol?

LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths are used to access AD objects and include the following:
★ Distinguished names
★ Relative Distinguished names

97. What is meant by bridge head servers? is it used only in inter-domain replication or is it used for intra-domain replication as well?

98. What is the KCC (Knowledge consistency checker)?

The KCC generates and maintains the replication topology for replication within sites and between sites. KCC runs every 15 minutes.

99. What is the ISTG - Intersite topology generator?

ISTG is responsible for creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. Intersite replication can utilize either RPC over IP or SMTP to convey replication data.
Bridgehead server - A domain controller that is used to send replication information to one or more other sites
DHCP Superscope:
A rage of IP address that span several subnets. The DHCP server can assign these address to clients that are on several subnets.
DHCP Scope:
A range of IP address that the DHCP server can assign to clients that are on one subnet
A stub zone
It is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.
A stub zone consists of: SOA, NS, A Records

100. What is a Flexible Single Master Operation?

It is a role that only one DC can (or should) hold at any given time within its boundary.
Schema Master - Use MMC "Active Directory Schema Snap-in". The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory.
Domain Naming Master - Use "Active Directory Domains and Trusts". It controls the addition or removal of domains in the forest.
Primary Domain Controller (PDC) Emulator - Use the "ADUC" . The PDC emulator is necessary to synchronize time in an enterprise.
Relative ID Master (RID Master) - Use "ADUC". All objects have a SID and a domain SID. The RID assigns relative IDs to each domain controller.
Infrastructure Master - Use the "ADUC". Updates group membership information when users from other domains are moved or renamed.
The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold.

Download Interview PDF

101. How to transfer FSMO Roles?

ntdsutil - type roles - connections - connect servername - q - type transfer role - at the fsmo maintenance prompt - type trasfer rid master

102. How to Seize FSMO Roles?

ntdsutil - type roles - connections - connect servername - q - type seize role - at the fsmo maintenance prompt - type seize rid master

103. What is the the Directory Partitions?

Schema Partition:
Only one schema partition exists per forest. The schema partition is stored on all domain controllers in a forest. It contains definitions of all objects and attributes that can be created in the directory.
Configuration Partition:
There is only one configuration partition per forest. the configuration partition contains information about the forest-wide active directory structure.
Domain Partition:
Many domain partitions can exist per forest. Domain partitions are stored on each domain controller in a given domain. A domain partition contains information about users, groups, computers, and organizational units.
Application Partition:
It stores information about applications in Active Directory. It is replicated only to specific domain controllers.

104. How to view replication properties for AD partitions and DCs?

Replmon

105. Explain Global Catalog?

A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest
Global group's membership is limited to accounts from the same domain. The membership is replicated in its own domain only.
Universal group's memership is limited to accounts from the same forest.The membership is replicated across the forest

106. How to view all the GCs in the forest?

repadmin.exe /options * and use IS_GC for current domain options.
nltest /dsgetdc:corp /GC

107. How to find FSMO roles?

Netdom query fsmo OR Replmon.exe

108. What is REPLMON?

Replmon is the first tool you should use when troubleshooting Active Directory replication issues

109. What is ADSIEDIT?

ADSI Edit is an LDAP editor for managing objects in Active Directory. This Active Directory tool lets you view objects and attributes that are not exposed in the Active Directory Management Console.

110. What is NETDOM?

NETDOM is a command-line tool that allows management of Windows domains and trust relationships

111. Define REPADMIN?

is a command line tool used to monitor and troubleshoot replication on a computer running Windows.
• Checks replication consistency between replication partners.
• Monitors replication status.
• Displays replication metadata.
• Forces replication events.

112. Define LSDOU?

It's group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units

113. Explain What is the difference between local, global and universal groups?

Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.

114. Tell me Where are group policies stored?

%SystemRoot%System32GroupPolicy

115. Explain GPT and GPC?

Group policy template and group policy container.

Download Interview PDF

116. Where is GPT stored?

%SystemRoot%SYSVOLsysvoldomainnamePoliciesGUID

117. What is the List Folder Contents permission on the folder in NTFS?

Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.

118. What hidden shares exist on Windows Server 2003 installation?

Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

119. What is the number of permitted unsuccessful logons on Administrator account?

Unlimited. Remember, though, that it's the Administrator account, not any account that's part of the Administrators group.

120. Do you know How frequently is the group policy refreshed?

90 minutes give or take.

121. Tell me What is the SYSVOL folder?

The Sysvol folder on a Windows domain controller is used to replicate file-based data among domain controllers. %systemroot%SYSVOL

122. Explain What are RODCs? And what are the major benefits of using RODCs?

Read only Domain Controller, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed.

123. What is new in Windows Server 2008 Active Directory Domain Services?

AD Domain Services auditing, Fine-Grained Password Policies,Read-Only Domain Controllers,Restartable Active Directory Domain Services

124. How to upgrade from Windows 2003 DC to Windows 2008 DC?

Windows 2003 must be running with SP2
Run adprep /forestprep
Run adprep /domainprep
Start the installation from Windows 2008 DVD
Domain level must be in Native Mode
Installation must be started from windows 2003 OS

125. Explain Where is the AD database held? What other folders are related to AD?

%SystemRoot%ntdsNTDS.DIT.
Edb*.log is the transaction log file. Each transaction file is 10 megabytes (MB). When Edb.log file is full, active directory renames it to Edbnnnnn.log, where nnnnn is an increasing number starts from 1.
Edb.chk is a checkpoint file which is use by database engine to track the data which is not yet written to the active directory database file. The checkpoint file act as a pointer that maintains the status between memory and database file on disk. It indicates the starting point in the log file from which the information must be recovered if a failure occurs.
Res1.log and Res2.log: These are reserved transaction log files. The amount of disk space that is reserved on a drive or folder for this log is 20 MB. This reserved disk space provides a sufficient space to shut down if all the other disk space is being used.

126. What is DNS Scavenging?

Scavenging will help you clean up old unused records in DNS.

127. Explain What are the standard Port numbers?

SMTP - 25,
POP3 - 110,
IMAP4 - 143,
RPC - 135,
LDAP - 389,
SSL - 443,
HTTP - 80,
RDP - 3389,
DNS - 53,
DHCP - 67,68,
FTP-21,
GC-3268,
Secure LDAP - 636,
Kerberos - 88,
NNTP - 119,
TFTP - 69,
SNMP - 161.

128. Define Kerberos?

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.

129. Why we need Netlogon?

Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer may not authenticate users and services, and the domain controller cannot register DNS records."

130. Define Active Directory?

An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains.

Download Interview PDF

131. What is Domain Controller?

In an Active directory forest, the domain controller is a server that contains a writable copy of the Active Directory Database participates in Active directory replication and controls access to network resource.

132. Can you explain LDAP?

The Lightweight Directory Access Protocol, or LDAP , is an application protocol for querying and modifying data using directory services running over TCP/IP

133. Explain Active Directory schema?

The Active Directory schema is the set of definitions that defines the kinds of objects, and the
types of information about those objects, that can be stored in Active Directory. The
definitions are themselves stored as objects so that Active Directory can manage the schema
objects with the same object management operations used for managing the rest of the
objects in the directory.
There are two types of definitions in the schema: attributes and classes. Attributes and
classes are also referred to as schema objects or metadata.
Attributes are defined separately from classes. Each attribute is defined only once and can be
used in multiple classes. For example, the Description attribute is used in many classes, but is
defined once in the schema, assuring consistency.

134. How will you verify whether the AD installation is proper?

1. Verify SRV Resource Records
After AD is installed, the DC will register SRV records in DNS when it restarts. We can
check this using DNS MMC or nslookup command.
Using MMC
If the SRV records are registered, the following folders will be there in the domain
folder in Forward Lookup Zone.

• msdes
• sites
• tcp
• adp

Using nslookup
>nslookup
>ls -t SRV Domain
If the SRV records are properly created, they will be listed.

2. Verifying SYSVOL
If SYSVOL folder is not properly created data stores in SYSVOL such are scripts, GPO,
etc will not be replicated between DCs.
First verify the following folder structure is created in SYSVOL
Domain
Staging
Staging areas
Sysvol
Then verify necessary shares are created.
>net share
It should show two shares, NETLOGON and SYSVOL

3. Verifying Database and Log files
Make sure that the following files are there at %systemroot%ntds
Ntds.dit, Edb.*, Res*.log

135. Minimum Requirement for Installing AD?

1. Windows Server, Advanced Server, Datacenter Server
2. Minimum Disk space of 200MB for AD and 50MB for log files
3. NTFS partition
4. TCP/IP Installed and Configured to use DNS
5. Administrative privilege for creating a domain in existing network

136. What is LDAP?

LDAP is the directory service protocol that is used to query and update AD. LDAP naming
paths are used to access AD objects and include the following:
• Distinguished names
• Relative Distinguished names

137. What is Native Mode?

When all the domain controllers in a given domain are running Windows 2000 Server. This mode allows organizations to take advantage of new Active Directory features such as Universal groups, nested group membership, and inter-domain group membership.

138. What is Mixed Mode?

Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed in mixed mode by default. In mixed mode the domain may have Windows NT 4.0 backup domain controllers present. Nested groups are not supported in mixed mode.

139. What is Empty Root Domain?

The "empty root domain" is an AD design element that has become increasingly popular at organizations with decentralized IT authority such as universities.

The empty root domain acts as a placeholder for the root of Active Directory, and does not typically contain any users or resources that are not required to fulfill this roll [sic]. [...] Only those privileges that have tree or forest-wide scope are restricted to the empty root domain administrators. Departmental administrators can work independently of other departments.

This politically neutral root domain provides a central source of authority and policy enforcement, and provides a single schema and global catalog that allows users to find resources anywhere in the university/district/state system. Individual IT departments retain a significant degree of independence and can control their own users and resources without having to worry that actions by administrators in other departments will disrupt their domain.

140. What is the Group Policy?

Group Policy is one of the most exciting -- and potentially complex -- mechanisms that the Active Directory enables. Group policy allows a bundle of system and user settings (called a "Group Policy Object" or GPO) to be created by an administrator of a domain or OU and have it automatically pushed down to designated systems.

Group Policy can control everything from user interface settings such as screen background images to deep control settings in the client such as its TCP/IP configuration and authentication settings. There are currently over 500 controllable settings. Microsoft has provided some templates as well to provide a starting point for creating policy objects.

A significant advantage of group policy over the old NT-style policies is that the changes they make are reversed when the policy no longer applies to a system. In NT 4, once a policy was applied to a system, removing that policy did not by itself roll back the settings that it imposed on the client. With Windows 2000, when a specified policy no longer applies to a system it will revert to its previous state without administrative interference.

Multiple policies from different sources can be applied to the same object. For example, a domain might have one or more domain-wide policies that apply to all systems in the domain. Below that, systems in an OU can also have policy objects applied to it, and the OU can even be further divided into sub-OU's with their own policies.

This can create a very complex web of settings so administrators must be very careful when creating these multiple layers of policy to make sure the end result -- which is the union of all of the applicable policies with the "closest" policy taking priority in most cases -- is correct for that system. In addition, because Group policy is checked and applied during the system boot process for machine settings and again during logon for user settings, it is recommended that GPO's be applied to a computer from no more than five "layers" in the AD to keep reboot and/or login times from becoming unacceptably long.

141. What is Organizational Units?

OU's have many of the attributes of an NT 4 domain. However, instead of requiring server resources to create and support, they are a logical construct within the Active Directory so an OU does not have to support and maintain a domain controller.

OU's are created by an administrator of an AD domain and can be freely named (and renamed). The OU can then be populated objects of many types including computers, groups, printers, users and other sub-OU's.

The real power of an OU is that once it is established, the administrator of its "parent" can delegate administrative authority -- in total or in part -- to any user or group that is in the AD.

When this happens, the designated user/group gains complete administrative authority over all objects in their OU and thus has all of the rights and abilities that a Windows NT domain administrator would have as well as some new ones such as the ability to further segment their OU into sub-OU's and delegate authority over those sub-elements as they see fit.

142. What is Domains in Active Directory?

In Windows 2000, a domain defines both an administrative boundary and a security boundary for a collection of objects that are relevant to a specific group of users on a network. A domain is an administrative boundary because administrative privileges do not extend to other domains. It is a security boundary because each domain has a security policy that extends to all security accounts within the domain. Active Directory stores information about objects in one or more domains.

Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also can be the parent of one or more child domains, as shown below.

143. What is Forest?

The term "forest" is used to describe a collection of AD domains that share a single schema for the AD. All DC's in the forest share this schema and it is replicated in a hierarchical fashion among them. The preferred model for Windows 2000 AD is to have an organization use a single forest that spans an entire enterprise.

While not an administrative block by themselves, forests are a major boundary in that only limited communication is available between forests. For example, it is difficult for a user in one forest to access a resource in another forest.

It is very difficult to integrate forests at this time because of potential problems reconciling schema differences between two forests.

144. Explain Active Directory?

"Active Directory is the directory service used in Windows 2000 Server and is the foundation of Windows 2000 distributed networks."

The core of Active Directory is a combination of an LDAP server and MIT Kerberos 5 KDC running on a Windows 2000 server acting as a domain controller that work as a unit to provide authentication ("Who are you?") and authorization ("What are you allowed to do?") information within a group of interlinked systems.

Above and beyond that, the LDAP "face" of this structure behaves as an enterprise-wide distributed database that not only contains Windows-specific information but can be extended to incorporate user-defined data as well.

The AD is held together by DNS, which is used not only to locate specific machines within the AD but also to locate which functions of the AD are running on which domain controllers.