Technical Support: August 2018

Technical Interview Questions ACTIVE DIRECTORY

What is Active Directory?

An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996. It was first used with Windows 2000.

An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory.

Active Directory is a hierarchical collection of network resources that can contain users, computers, printers, and other Active Directories. Active Directory Services (ADS) allow administrators to handle and maintain all network resources from a single location . Active Directory stores information and settings in a central database

What is LDAP?

The Lightweight Directory Access Protocol, or LDAP , is an application protocol for querying and modifying directory services running over TCP/IP. Although not yet widely implemented, LDAP should eventually make it possible for almost any application running on virtually any computer platform to obtain directory information, such as email addresses and public keys. Because LDAP is an open protocol, applications need not worry about the type of server hosting the directory.

Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.

-Yes you can connect other vendors Directory Services with Microsoft’s version.

-Yes, you can use dirXML or LDAP to connect to other directories (ie. E-directory from Novell or NDS (Novel directory System).

-Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictonaries used by SAP, Domino etc with the help of MIIS ( Microsoft Identity Integration Server )

Where is the AD database held? What other folders are related to AD?

AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These are the main files controlling the AD structure

ntds.dit

edb.log

res1.log

res2.log

edb.chk

When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down, all transactions are saved to the database.

During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn’t exist on reboot or the shutdown statement isn’t present, AD will use the edb.log file to update the AD database.

The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we’ve discussed

What is the SYSVOL folder?

- All active directory data base security related information store in SYSVOL folder and its only created on NTFS partition.

- The Sysvol folder on a Windows domain controller is used to replicate file-based data among domain controllers. Because junctions are used within the Sysvol folder structure, Windows NT file system (NTFS) version 5.0 is required on domain controllers throughout a Windows distributed file system (DFS) forest.

This is a quote from microsoft themselves, basically the domain controller info stored in files like your group policy stuff is replicated through this folder structure

Name the AD NCs and replication issues for each NC

*Schema NC, *Configuration NC, Domain NC
Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.
Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory, as well as information about display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.

What are application partitions? When do I use them

Application directory partitions: These are specific to Windows Server 2003 domains.
An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only Domain controllers running Windows Server 2003 can host a replica of an application directory partition.

How do you create a new application partition

http://wiki.answers.com/Q/How_do_you_create_a_new_application_partition

How do you view replication properties for AD partitions and DCs?

By using replication monitor

go to start > run > type replmon

What is the Global Catalog?

The global catalog contains a complete replica of all objects in Active Directory for its Host domain, and contains a partial replica of all objects in Active Directory for every other domain in the forest.

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

In addition to configuration and schema directory partition replicas, every domain controller in a Windows 2000 Server or Windows Server 2003 forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object.

The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.

How do you view all the GCs in the forest?

C:\>repadmin/showreps
domain_controller

OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%

Why not make all DCs in a large forest as GCs?

The reason that all DCs are not GCs to start is that in large (or even Giant) forests the DCs would all have to hold a reference to every object in the entire forest which could be quite large and quite a replication burden.

For a few hundred, or a few thousand users even, this not likely to matter unless you have really poor WAN lines.

Trying to look at the Schema, how can I do that?

adsiedit.exe

option to view the schema

c:\windows\system32>regsvr32 schmmgmt.dll

Open mmc –> add snapin –> add Active directory schema

name it as schema.msc

Open administrative tool –> schema.msc

What are the Support Tools? Why do I need them?

Support Tools are the tools that are used for performing the complicated tasks easily. These can also be the third party tools. Some of the Support tools include DebugViewer, DependencyViewer, RegistryMonitor, etc. -edit by Casquehead I beleive this question is reffering to the Windows Server 2003 Support Tools, which are included with Microsoft Windows Server 2003 Service Pack 2. They are also available for download here:

http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-A772EA2DF90&displaylang=en

You need them because you cannot properly manage an Active Directory network without them.
Here they are, it would do you well to familiarize yourself with all of them.

Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
Dfsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe

> What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?

ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network administrators can use it for common administrative tasks such as adding, deleting, and moving objects with a directory service. The attributes for each object can be edited or deleted by using this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active Directory. The following are the required files for using this tool:

· ADSIEDIT.DLL

· ADSIEDIT.MSC

Regarding system requirements, a connection to an Active Directory environment and Microsoft Management Console (MMC) is necessary

A: Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line counterparts. The purpose of this document is to guide you in how to use it, list some common replication errors and show some examples of when replication issues can stop other network installation actions.

for more go to http://www.techtutorials.net/articles/replmon_howto_a.html

NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels

A:
Enables administrators to manage Active Directory domains and trust relationships from the command prompt.

Netdom is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use netdom, you must run the netdom command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

REPADMIN.EXE is a command line tool used to monitor and troubleshoot replication on a computer running Windows. This is a command line tool that allows you to view the replication topology as seen from the perspective of each domain controller.

REPADMIN is a built-in Windows diagnostic command-line utility that works at the Active Directory level. Although specific to Windows, it is also useful for diagnosing some Exchange replication problems, since Exchange Server is Active Directory based.

REPADMIN doesn’t actually fix replication problems for you. But, you can use it to help determine the source of a malfunction.

What are sites? What are they used for?

Active directory sites, which consist of well-connected networks defined by IP subnets that help define the physical structure of your AD, give you much better control over replication traffic and authentication traffic than the control you get with Windows NT 4.0 domains.
Using Active Directory, the network and its objects are organized by constructs such as domains, trees, forests, trust relationships, organizational units (OUs), and sites.

What’s the difference between a site link’s schedule and interval?

Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the give interval. Interval is the re occurrence of the inter site replication in given minutes. It ranges from 15 – 10,080 mins. The default interval is 180 mins.

What is the KCC?

The KCC is a built-in process that runs on all domain controllers and generates replication topology for the Active Directory forest. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable.

What is the ISTG? Who has that role by default?

Intersite Topology Generator (ISTG), which is responsible for the connections among the sites. By default Windows 2003 Forest level functionality has this role. By Default the first Server has this role. If that server can no longer preform this role then the next server with the highest GUID then takes over the role of ISTG.

What are the requirements for installing AD on a new server?

· An NTFS partition with enough free space (250MB minimum)

· An Administrator’s username and password

· The correct operating system version

· A NIC

· Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway)

· A network connection (to a hub or to another computer via a crossover cable)

· An operational DNS server (which can be installed on the DC itself)

· A Domain name that you want to use

· The Windows 2000 or Windows Server 2003 CD media (or at least the i386 folder)

From the Petri IT Knowledge base. For more info, follow this link:

http://www.petri.co.il/active_directory_installation_requirements.htm

What can you do to promote a server to DC if you’re in a remote location with slow WAN link?

First available in Windows 2003, you will create a copy of the system state from an existing DC and copy it to the new remote server. Run “Dcpromo /adv”. You will be prompted for the location of the system state files

How can you forcibly remove AD from a server, and what do you do later? • Can I get user passwords from the AD database?

Demote the server using dcpromo /forceremoval, then remove the metadata from Active directory using ndtsutil. There is no way to get user passwords from AD that I am aware of, but you should still be able to change them.

Another way out too

Restart the DC is DSRM mode

a. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions

b. In the right-pane, double-click ProductType.

c. Type ServerNT in the Value data box, and then click OK.

Restart the server in normal mode

its a member server now but AD entries are still there. Promote teh server to a fake domain say ABC.com and then remove gracefully using DCpromo. Else after restart you can also use ntdsutil to do metadata as told in teh earlier post

What tool would I use to try to grab security related packets from the wire?

you must use sniffer-detecting tools to help stop the snoops. … A good packet sniffer would be “ethereal”
www.ethereal.com

Name some OU design considerations ?

OU design requires balancing requirements for delegating administrative rights – independent of Group Policy needs – and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues:

Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.

Delegating administrative authority

usually don’t go more than 3 OU levels

What is tombstone lifetime attribute?

The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is in the Directory Service object in the configuration NIC by default 2000 (60 days) 2003 (180 days)

What do you do to install a new Windows 2003 DC in a Windows 2000 AD?

If you plan to install windows 2003 server domain controllers into an existing windows 2000 domain or upgrade a windows 2000 domain controllers to windows server 2003, you first need to run the Adprep.exe utility on the windows 2000 domain controllers currently holding the schema master and infrastructure master roles. The adprep / forestprer command must first be issued on the windows 2000 server holding schema master role in the forest root doman to prepare the existing schema to support windows 2003 active directory. The adprep /domainprep command must be issued on the sever holding the infrastructure master role in the domain where 2000 server will be deployed.

What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?

A. If you’re installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the Windows 2003 R2 Continue Setup screen.

If you’re installing R2 on a domain controller (DC), you must first upgrade the schema to the R2 version (this is a minor change and mostly related to the new Dfs replication engine). To update the schema, run the Adprep utility, which you’ll find in the Cmpnents\r2\adprep folder on the second CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows 2000 with SP2 (or later)

How would you find all users that have not logged on since last month?
http://wiki.answers.com/Q/How_would_you_find_all_users_that_have_not_logged_on_since_last_month

What are the DS commands?

New DS (Directory Service) Family of built-in command line utilities for Windows Server 2003 Active Directory

New DS built-in tools for Windows Server 2003
The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.

When it comes to choosing a scripting tool for Active Directory objects, you really are spoilt for choice. The the DS family of built-in command line executables offer alternative strategies to CSVDE, LDIFDE and VBScript.

Let me introduce you to the members of the DS family:

DSadd – add Active Directory users and groups
DSmod – modify Active Directory objects
DSrm – to delete Active Directory objects
DSmove – to relocate objects
DSQuery – to find objects that match your query attributes
DSget – list the properties of an object

What are the FSMO roles? Who has them by default? What happens when each one fails?

FSMO stands for the Flexible single Master Operation

It has 5 Roles: -

Schema Master:

The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.

Domain naming master:

The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

Infrastructure Master:

When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.

Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC’s event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security Principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC’s allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain’s RID master. The domain RID master responds to the request by retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.

PDC Emulator:

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.

The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.

:: In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:

:: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.

Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.

Account lockout is processed on the PDC emulator.

Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator’s SYSVOL share, unless configured not to do so by the administrator.

The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.

What FSMO placement considerations do you know of?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot (or actually, on the same DC) as has been configured by the Active Directory installation process. However, there are scenarios where an administrator would want to move one or more of the FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when dealing with FSMO placement. In this article I will only deal with Windows Server 2003 Active Directory, but you should bear in mind that most considerations are also true when planning Windows 2000 AD FSMO roles

What’s the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?

Certain domain and enterprise-wide operations that are not good for multi-master updates are performed by a single domain controller in an Active Directory domain or forest. The domain controllers that are assigned to perform these unique operations are called operations masters or FSMO role holders.

The following list describes the 5 unique FSMO roles in an Active Directory forest and the dependent operations that they perform:

Schema master – The Schema master role is forest-wide and there is one for each forest. This role is required to extend the schema of an Active Directory forest or to run the adprep /domainprep command.
Domain naming master – The Domain naming master role is forest-wide and there is one for each forest. This role is required to add or remove domains or application partitions to or from a forest.
RID master – The RID master role is domain-wide and there is one for each domain. This role is required to allocate the RID pool so that new or existing domain controllers can create user accounts, computer accounts or security groups.
PDC emulator – The PDC emulator role is domain-wide and there is one for each domain. This role is required for the domain controller that sends database updates to Windows NT backup domain controllers. The domain controller that owns this role is also targeted by certain administration tools and updates to user account and computer account passwords.
Infrastructure master – The Infrastructure master role is domain-wide and there is one for each domain. This role is required for domain controllers to run the adprep /forestprep command successfully and to update SID attributes and distinguished name attributes for objects that are referenced across domains.

The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain controller in the forest root domain. The first domain controller in each new child or tree domain is assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are reassigned by using one of the following methods:

An administrator reassigns the role by using a GUI administrative tool.
An administrator reassigns the role by using the ntdsutil /roles command.
An administrator gracefully demotes a role-holding domain controller by using the Active Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain controller in the forest. Demotions that are performed by using the dcpromo /forceremoval command leave FSMO roles in an invalid state until they are reassigned by an administrator.

We recommend that you transfer FSMO roles in the following scenarios:

The current role holder is operational and can be accessed on the network by the new FSMO owner.
You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest.
The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:

The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred.
A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command.
The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled.

As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of changes that are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate domain controller is one that is in the appropriate domain that last inbound-replicated, or recently inbound-replicated a writable copy of the “FSMO partition” from the existing role holder. For example, the Schema master role-holder has a distinguished name path of CN=schema,CN=configuration,dc=<forest root domain>, and this mean that roles reside in and are replicated as part of the CN=schema partition. If the domain controller that holds the Schema master role experiences a hardware or software failure, a good candidate role-holder would be a domain controller in the root domain and in the same Active Directory site as the current owner. Domain controllers in the same Active Directory site perform inbound replication every 5 minutes or 15 seconds.

A domain controller whose FSMO roles have been seized should not be permitted to communicate with existing domain controllers in the forest. In this scenario, you should either format the hard disk and reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a private network and then remove their metadata on a surviving domain controller in the forest by using the ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has been seized into the forest is that the original role holder may continue to operate as before until it inbound-replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO roles include creating security principals that have overlapping RID pools, and other problems.

Transfer FSMO roles

To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:

Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
Click Start, click Run, type ntdsutil in the Open box, and then click OK.
Type roles, and then press ENTER.Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.
At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

Seize FSMO roles

To seize the FSMO roles by using the Ntdsutil utility, follow these steps:

Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being seized. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer schema or domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.
Click Start, click Run, type ntdsutil in the Open box, and then click OK.
Type roles, and then press ENTER.
Type connections, and then press ENTER.
Type connect to server servername, and then press ENTER, where servername is the name of the domain controller that you want to assign the FSMO role to.
At the server connections prompt, type q, and then press ENTER.
Type seize role, where role is the role that you want to seize. For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.Notes

Under typical conditions, all five roles must be assigned to “live” domain controllers in the forest. If a domain controller that owns a FSMO role is taken out of service before its roles are transferred, you must seize all roles to an appropriate and healthy domain controller. We recommend that you only seize all roles when the other domain controller is not returning to the domain. If it is possible, fix the broken domain controller that is assigned the FSMO roles. You should determine which roles are to be on which remaining domain controllers so that all five roles are assigned to a single domain controller. For more information about FSMO role placement, click the following article number to view the article in the Microsoft Knowledge Base: 223346 (http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization on Windows 2000 domain controllers
If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by using the steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article: 216498 (http://support.microsoft.com/kb/216498/ ) How to remove data in active directory after an unsuccessful domain controller demotion
Removing domain controller metadata with the Windows 2000 version or the Windows Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not relocate FSMO roles that are assigned to live domain controllers. The Windows Server 2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes additional elements of domain controller metadata.
Some customers prefer not to restore system state backups of FSMO role-holders in case the role has been reassigned since the backup was made.
Do not put the Infrastructure master role on the same domain controller as the global catalog server. If the Infrastructure master runs on a global catalog server it stops updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds a partial replica of every object in the forest.

To test whether a domain controller is also a global catalog server:

Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.
Open the Servers folder, and then click the domain controller.
In the domain controller’s folder, double-click NTDS Settings.
On the Action menu, click Properties.
On the General tab, view the Global Catalog check box to see if it is selected.

For more information about FSMO roles, click the following article numbers to view the articles in the Microsoft Knowledge Base:

How do you configure a “stand-by operation master” for any of the roles?

Open Active Directory Sites and Services.
Expand the site name in which the standby operations master is located to display the Servers folder.
Expand the Servers folder to see a list of the servers in that site.
Expand the name of the server that you want to be the standby operations master to display its NTDS Settings.
Right-click NTDS Settings, click New, and then click Connection.
In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK.
In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK.

How do you backup AD?

Backing up Active Directory is essential to maintain an Active Directory database. You can back up Active Directory by using the Graphical User Interface (GUI) and command-line tools that the Windows Server 2003 family provides.
You frequently backup the system state data on domain controllers so that you can restore the most current data. By establishing a regular backup schedule, you have a better chance of recovering data when necessary.

To ensure a good backup includes at least the system state data and contents of the system disk, you must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any backup older than 60 days is not a good backup. Plan to backup at least two domain controllers in each domain, one of at least one backup to enable an authoritative restore of the data when necessary.

System State Data
Several features in the windows server 2003 family make it easy to backup Active Directory. You can backup Active Directory while the server is online and other network function can continue to function.

System state data on a domain controller includes the following components:

Active Directory system state data does not contain Active Directory unless the server, on which you are backing up the system state data, is a domain controller. Active Directory is present only on domain controllers.

The SYSVOL shared folder: This shared folder contains Group policy templates and logon scripts. The SYSVOL shared folder is present only on domain controllers.

The Registry: This database repository contains information about the computer’s configuration.

System startup files: Windows Server 2003 requires these files during its initial startup phase. They include the boot and system files that are under windows file protection and used by windows to load, configure, and run the operating system.

The COM+ Class Registration database: The Class registration is a database of information about Component Services applications.

The Certificate Services database: This database contains certificates that a server running Windows server 2003 uses to authenticate users. The Certificate Services database is present only if the server is operating as a certificate server.

System state data contains most elements of a system’s configuration, but it may not include all of the information that you require recovering data from a system failure. Therefore, be sure to backup all boot and system volumes, including the System State, when you back up your server.

Restoring Active Directory

In Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures. You must restore the Active Directory database when objects in Active Directory are changed or deleted.

Active Directory restore can be performed in several ways. Replication synchronizes the latest changes from every other replication partner. Once the replication is finished each partner has an updated version of Active Directory. There is another way to get these latest updates by Backup utility to restore replicated data from a backup copy. For this restore you don’t need to configure again your domain controller or no need to install the operating system from scratch.

Active Directory Restore Methods
You can use one of the three methods to restore Active Directory from backup media: primary restore, normal (non authoritative) restore, and authoritative restore.

Primary restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on local computer, or user should have been delegated with this responsibility to perform restore. On a domain controller only Domain Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain.
Perform an authoritative restore individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that you use to mark Active Directory objects as authoritative so that they receive a higher version recently changed data on other domain controllers does not overwrite system state data during replication.

How do you restore AD?

Restoring Active Directory :

Primary restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on local computer, or user should have been delegated with this responsibility to perform restore. On a domain controller only Domain Admins can perform this restore.
Normal restore: This method reinstates the Active Directory data to the state before the backup, and then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain.
Perform an authoritative restore individual object in a domain that has multiple domain controllers. When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Ntdsutil is a command line utility to perform an authoritative restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that you use to mark Active Directory objects as authoritative so that they receive a higher version recently changed data on other domain controllers does not overwrite system state data during replication.

METHOD

A.
You can’t restore Active Directory (AD) to a domain controller (DC) while the Directory Service (DS) is running. To restore AD, perform the following steps.

Reboot the computer.
At the boot menu, select Windows 2000 Server. Don’t press Enter. Instead, press F8 for advanced options. You’ll see the following text. OS Loader V5.0

Windows NT Advanced Options Menu
Please select an option:

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

Enable Boot Logging
Enable VGA Mode
Last Known Good Configuration
Directory Services Restore Mode (Windows NT domain controllers only)
Debugging Mode

Use | and | to move the highlight to your choice.
Press Enter to choose.
Scroll down, and select Directory Services Restore Mode (Windows NT domain controllers only).
Press Enter.
When you return to the Windows 2000 Server boot menu, press Enter. At the bottom of the screen, you’ll see in red text Directory Services Restore Mode (Windows NT domain controllers only).
The computer will boot into a special safe mode and won’t start the DS. Be aware that during this time the machine won’t act as a DC and won’t perform functions such as authentication.

Start NT Backup.
Select the Restore tab.
Select the backup media, and select System State.
Click Start Restore.
Click OK in the confirmation dialog box.
After you restore the backup, reboot the computer and start in normal mode to use the restored information. The computer might hang after the restore completes; Sometimes it takes a 30-minute wait on some machines.

How do you change the DS Restore admin password?

When you promote a Windows 2000 Server-based computer to a domain controller, you are prompted to type a Directory Service Restore Mode Administrator password. This password is also used by Recovery Console, and is separate from the Administrator password that is stored in Active Directory after a completed promotion.

The Administrator password that you use when you start Recovery Console or when you press F8 to start Directory Service Restore Mode is stored in the registry-based Security Accounts Manager (SAM) on the local computer. The SAM is located in the\System32\Config folder. The SAM-based account and password are computer specific and they are not replicated to other domain controllers in the domain.

For ease of administration of domain controllers or for additional security measures, you can change the Administrator password for the local SAM. To change the local Administrator password that you use when you start Recovery Console or when you start Directory Service Restore Mode, use the following method.

1. Log on to the computer as the administrator or a user who is a member of the Administrators group. 2. Shut down the domain controller on which you want to change the password. 3. Restart the computer. When the selection menu screen is displayed during restar, press F8 to view advanced startup options. 4. Click the Directory Service Restore Mode option. 5. After you log on, use one of the following methods to change the local Administrator password: • At a command prompt, type the following command:

net user administrator

• Use the Local User and Groups snap-in (Lusrmgr.msc) to change the Administrator password. 6. Shut down and restart the computer. You can now use the Administrator account to log on to Recovery Console or Directory Services Restore Mode using the new password.

Why can’t you restore a DC that was backed up 4 months ago?

Because of the tombstone life which is set to only 60 days

What are GPOs?

Group Policy gives you administrative control over users and computers in your network. By using Group Policy, you can define the state of a user’s work environment once, and then rely on Windows Server 2003 to continually force the Group Policy settings that you apply across an entire organization or to specific groups of users and computers.
Group Policy Advantages
You can assign group policy in domains, sites and organizational units.
All users and computers get reflected by group policy settings in domain, site and organizational unit.
No one in network has rights to change the settings of Group policy; by default only administrator has full privilege to change, so it is very secure.
Policy settings can be removed and can further rewrite the changes.
Where GPO’s store Group Policy Information
Group Policy objects store their Group Policy information in two locations:

Group Policy Container: The GPC is an Active Directory object that contains GPO status, version information, WMI filter information, and a list of components that have settings in the GPO. Computers can access the GPC to locate Group Policy templates, and domain controller does not have the most recent version of the GPO, replication occurs to obtain the latest version of the GPO.
Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL folder on a domain controller. When you create GPO, Windows Server 2003 creates the corresponding GPT which contains all Group Policy settings and information, including administrative templates, security, software installation, scripts, and folder redirection settings. Computers connect to the SYSVOL folder to obtain the settings.
The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO that you created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC. The path to the GPT on a domain controller is systemroot\SYSVOL\sysvol.
Managing GPOs
To avoid conflicts in replication, consider the selection of domain controller, especially because the GPO data resides in SYSVOL folder and the Active Directory. Active Directory uses two independent replication techniques to replicate GPO data among all domain controllers in the domain. If two administrator’s changes can overwrite those made by other administrator, depends on the replication latency. By default the Group Policy Management console uses the PDC Emulator so that all administrators can work on the same domain controller.

WMI Filter
WMI filters is use to get the current scope of GPOs based on attributes of the user or computer. In this way, you can increase the GPOs filtering capabilities beyond the security group filtering mechanisms that were previously available.

Linking can be done with WMI filter to a GPO. When you apply a GPO to the destination computer, Active Directory evaluates the filter on the destination computer. A WMI filter has few queries that active Directory evaluates in place of WMI repository of the destination computer. If the set of queries is false, Active Directory does not apply the GPO. If set of queries are true, Active Directory applies the GPO. You write the query by using the WMI Query Language (WQL); this language is similar to querying SQL for WMI repository.

Planning a Group Policy Strategy for the Enterprise
When you plan an Active Directory structure, create a plan for GPO inheritance, administration, and deployment that provides the most efficient Group Policy management for your organization.

Also consider how you will implement Group Policy for the organization. Be sure to consider the delegation of authority, separation of administrative duties, central versus decentralized administration, and design flexibility so that your plan will provide for ease of use as well as administration.

Planning GPOs
Create GPOs in way that provides for the simplest and most manageable design — one in which you can use inheritance and multiple links.

Guidelines for Planning GPOs
Apply GPO settings at the highest level: This way, you take advantage of Group Policy inheritance. Determine what common GPO settings for the largest container are starting with the domain and then link the GPO to this container.
Reduce the number of GPOs: You reduce the number by using multiple links instead of creating multiple identical GPOs. Try to link a GPO to the broadest container possible level to avoid creating multiple links of the same GPO at a deeper level.
Create specialized GPOs: Use these GPOs to apply unique settings when necessary. GPOs at a higher level will not apply the settings in these specialized GPOs.
Disable computer or use configuration settings: When you create a GPO to contain settings for only one of the two levels-user and computer-disable the logon and prevents accidental GPO settings from being applied to the other area.

What is the order in which GPOs are applied?

Local, Site, Domain, OU

Group Policy settings are processed in the following order:

1:- Local Group Policy object-each computer has exactly one Group Policy object that is stored locally. This processes for both computer and user Group Policy processing.

2:- Site-Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in Group Policy Management Console (GPMC). The GPO with the lowest link order is processed last, and therefore has the highest precedence.

3:- Domain-processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

4:- Organizational units-GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed.

At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

This order means that the local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts. (If there are no conflicts, then the earlier and later settings are merely aggregated.)

Name a few benefits of using GPMC.

Microsoft released the Group Policy Management Console (GPMC) years ago, which is an amazing innovation in Group Policy management. The tool provides control over Group Policy in the following manner:

Easy administration of all GPOs across the entire Active Directory Forest
View of all GPOs in one single list
Reporting of GPO settings, security, filters, delegation, etc.
Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering
Delegation model
Backup and restore of GPOs
Migration of GPOs across different domains and forests

With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC is needed and should be used by everyone for what it is ideal for. However, it does fall a bit short when you want to protect the GPOs from the following:

Role based delegation of GPO management
Being edited in production, potentially causing damage to desktops and servers
Forgetting to back up a GPO after it has been modified
Change management of each modification to every GPO

How can you determine what GPO was and was not applied for a user? Name a few ways to do that.

Simply use the Group Policy Management Console created by MS for that very purpose, allows you to run simulated policies on computers or users to determine what policies are enforced. Link in sources

What are administrative templates?

Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised management of machines and users in an Active Directory environment.

Administrative Templates facilitate the management of registry-based policy. An ADM file is used to describe both the user interface presented to the Group Policy administrator and the registry keys that should be updated on the target machines. An ADM file is a text file with a specific syntax which describes both the interface and the registry values which will be changed if the policy is enabled or disabled.

ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP Service Pack 2 shipped with five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm and wuau.adm). These are merged into a unified “namespace” in GPEdit and presented to the administrator under the Administrative Templates node (for both machine and user policy).

What’s the difference between software publishing and assigning?

ANS An administrator can either assign or publish software applications.

Assign Users
The software application is advertised when the user logs on. It is installed when the user clicks on the software application icon via the start menu, or accesses a file that has been associated with the software application.

Assign Computers
The software application is advertised and installed when it is safe to do so, such as when the computer is next restarted.

Publish to users
The software application does not appear on the start menu or desktop. This means the user may not know that the software is available. The software application is made available via the Add/Remove Programs option in control panel, or by clicking on a file that has been associated with the application. Published applications do not reinstall themselves in the event of accidental deletion, and it is not possible to publish to computers.

Interview Questions for System Administrator / Network Administrator

General Questions

Q. Please describe the technical environment of your current (or most recent) position.

A. When describing the technical environment that you currently support, be sure to include the number of users you support, the number of IT staff, the technical infrastructure including servers, types of connections, desktop operating systems, your job duties, and your work schedule.
You should be prepared to talk about each of the positions you have listed on your résumé in this way. Also be prepared with a follow-up statement of your most significant accomplishment.

Q. How do you keep your technical knowledge and skills current?
A. Keeping your skills current demonstrates initiative and a desire to perform at high standards. Be prepared with a list of resources including professional groups.

Q. Please describe your greatest technical challenge and how you overcame it.
A. Ah, an opportunity for a story. Great examples to draw on: how you taught yourself a new operating system, the installation of a complex system, integration of multiple systems, building of an e-commerce web site.

Q. What are some of the tools you use to make your job easier?
A. All network administrators have a bag of tricks. You should share some of your trade secrets as a way of demonstrating that you can be efficient in your job as a network administrator. These can include ghosting tools, troubleshooting tools, and documentation tools.

Q. How do you document your network?
A. One of the toughest parts of network administration is keeping track of an always changing environment. You must have basic documentation for user administration, file system planning, and address planning. Share your documentation with your interviewer.

Planning Questions

The interviewer will be interested in your network planning methodologies. The following questions provide insight into these skills.

Q. What are some of the things you need to take into consideration when planning an upgrade from one network operating system to another?
A. This is the mother of all planning activities because it will affect so many resources. The key here is testing and backups and that’s what the interviewer wants to hear. Other considerations include:

Network documentation
Ensuring that your hardware meets the minimum hardware requirements for the new operating system
Creating a test network for testing the compatibility of applications, hardware, and drivers with the new operating system
Gathering all updated drivers and patches/service packs required for upgrade compatibility
Identifying workflow issues before converting
Separating workstation conversions from server conversions
Ensuring you have backups of data and the servers so that you can revert back
Network addressing scheme

Q. Describe the backup/restore policy you use most.
A. First of all, the interviewer wants to ensure that you do backups! There are different methods, but the most common backup strategy used is to perform incremental backups Monday through Thursday and a normal backup on Friday. An alternative backup strategy is to perform differential backups Monday through Thursday and a normal backup on Friday.

Q. How would you ensure that your servers are secure?
A. Security always begins at the physical level—it makes little difference that you’ve provided all the security the operating system and software can provide if someone can walk away with the box or the portable hard drive. The next step is to ensure you have the latest service packs for the operating system and applications running on the server.

Installation

Q. What steps do you go through as part of your server installation process?
A. The interviewer wants to know whether your typical work habits are to just jump in or whether you do some planning. You obviously want to ensure that your hardware meets the minimum requirements, that you have all the right drivers for the new operating system, and whether you need a ROM upgrade for your hardware. Depending on how many installations you’ve done, you may have a process that you like to follow. If you do, describe it to the interviewer.

Q. How do you determine which file system is best for your environment?
A. This question tests how well you plan for a variety of different environments. The key here is to take into consideration the file format support required for backward compatibility with other operating systems like NetWare or older versions of Windows NT. You’ll also want to make sure there’s enough disk space for drivers and files that must reside in the system partition, as well as space for a dump file if anything goes wrong.

Q. What’s the first thing you should do after installing the network operating system?
A. This is a test of your security skills. The first thing you should do is either change the password on the administrator account or change the name of the account itself.

Q. You just installed a service pack on the e-mail, SQL, print, and file servers. You rebooted all the servers, and now the service pack installation is complete. What’s the final step for the evening?
A. The interviewer wants to make sure that testing is an integral part of your routine whenever you install software or make updates to systems. You may also want to review the Event Viewer logs and look for any errors that have been registered. It’s a good idea to also examine the administrative interfaces for SQL and the e-mail server to satisfy yourself that no anomalies have appeared there.

Configuration

Ninety percent of your day is spent configuring network services, whether it’s installing applications, creating users, or adding printers.

Q. What methods are available for configuring a WINS server for use by various Microsoft computers?
A. This question demonstrates to the interviewer that you are familiar with the various methods for configuring routing using WINS. You can either configure the WINS server manually or by way of a Dynamic Host Configuration Protocol Server.

Q. A user has left the company and you need to create a new user with the same rights and permissions. What are some of the ways to create the new user?
A. By asking you to describe multiple ways of getting the job done, the interviewer can assess your experience level with the operating system. Some of the correct answers to this question include the following:

You could copy an existing user’s account to create a new account. However, the rights and permissions for the new, copied account will be based purely on its group memberships, not permissions g
ranted strictly to the original account itself.
Using Active Directory, you could use the CSVDE.exe program to create a new account with specific group memberships; however, this program is usually intended for bulk creation of accounts in your domain.
You could create the new account from scratch, assigning group permissions or individual rights manually.

Q. What are some of the alternative ways for mapping a drive letter to a file server if you wish to connect to one of the server’s shared folders?
A. This question tests your experience by asking for alternate methods of getting the job done. In addition to mapped drives you can use a Universal Naming Convention path: \\servername\ sharename. You can also browse the Network Neighborhood.

Q. You shared a printer from your NT server. What could you do to ensure that the printer is easily accessible to your Windows 98 clients?
A. You may have to support older clients on your network. This question tests your experience with older technology. In this case, you should load the Windows 98 printer drivers on the share point.

Q. How large can I make a file allocation table partition using the NT operating system?
A. This question tests your familiarity with system capabilities and limitations. The maximum FAT partition size is 4 gigabytes.

Q. Is it necessary for an NT client computer to use the server’s name in that UNC path?
A. There are typically multiple ways of accomplishing the same task. Thank goodness, because you sometimes need them while troubleshooting. Using very basic questions, the interviewer can assess your real knowledge and experience with various operating systems. In this case, you can also use the server’s TCP/IP address.

Q. We are creating a web site on our NT server using Internet Information Server 4.0. We expect users to log on anonymously. How many client access licenses must we purchase to allow up to 100 simultaneous connections to our web site?
A. This is a trick question to see if you understand the concept of user licensed connections. Anonymous logons on IIS 4.0 do not require client access licenses.

Troubleshooting

Q. A user contacts you and reports that their Windows 2000 workstation is having troubleconnecting to the Web. You run the ipconfig command on the computer and you find that the computer is not referencing the correct primary DNS server. What must you do to remedy this?

A. Using this question, the interviewer can assess your routing troubleshooting skills, an essential part of network administration. In this case, you would want to check the primary DNS setting in the IP configuration of the computer. If ipconfig shows a setting for the default DNS server other than what you want, this means the computer’s IP configuration is incorrect. Therefore, the Windows 2000 client computer needs to be reconfigured.

Q. Users are complaining of slow performance when they run server-based applications.
The server has the following specifications:
> Compaq 1600
> 800 MHz Pentium 3
> 256MB of RAM
> 18GB EIDE hard drive
> 10/100 NIC
> Connected to a Cisco switch
The performance monitor shows the following:
Memory Pages/Sec: 5
Physical Disk % Disk Time: 20 percent
Processor % Processor Time: 90 percent

What is the best way to improve the system’s performance?

A. This question tests your knowledge of server optimization. In this case, the recommendation should be to upgrade the processor. Microsoft recommends you do so if the CPU utilization averages over 70 to 75 percent.

Q. A user is having trouble sharing a folder from their NT Workstation. What is a likely cause?
A. The interviewer is testing your basic knowledge of rights. In order to share a folder you must be logged on as an administrator, server operator (in a domain), or power user (in a workgroup).

Q. You’ve shared a folder and set the share permissions to “Everyone = Full Control.” However,none of the users can save information in the folder. What’s the likely cause?
A. This is another question that tests your knowledge of permissions. The likely cause is that someone has set the NTFS permissions in a more restrictive manner than the share permissions. Between those two categories of permissions, the more restrictive of the two always applies to users accessing the folder over the network.

Q. What is the most likely cause for the failure of a user to connect to an NT remote accessserver?
A. Supporting remote users may be a big part of your job. It’s important to understand the proper configuration and troubleshooting of the NT RAS. In this case, the user must be granted the RAS dial-in permission.

Q. A remote user in Montana, who is not technical and is scared to death of computers, calls for help. The user logged in to your network via the terminal server. You determine that the solution to the user’s problem requires an edit of a hidden read-only file, deleting a system file in the winnt\system32 folder, and creating a simple batch file on the user’s computer. What tools would you use to resolve this problem?
A. This question tests your ability for remote troubleshooting. An administrator can edit these files on the user’s computer by connecting to it over the network via the Computer Management console in Windows 2000. Using this console, you can access the administrative shares (C$, D$, and so on) that represent the partitions on the user’s computer. From there, you can edit or create any files necessary to repair the problem.

Windows NT Networking Questions

Windows NT is still the most popular operating system around. You should be comfortable with this environment to be able to respond to the following questions that an interviewer may ask you.

Q. Why is Windows Internet Name Server needed in a Windows NT domain?
A. An important part of network administration is setting up the server and clients so they can find one another. WINS is necessary to achieve NetBIOS name resolution. Your desktop clients can then log on to the domain, and the domain controllers can authenticate to one another.

Q. What is the normal replication interval between the primary domain controll
er and the backup domain controller?
A. The PDC waits five minutes after a change in the domain database before “pulsing,” or notifying, the BDCs.

Q. How can you synchronize a BDC immediately?
A. Within the server manager, select the BDC’s account, choose the Computer menu, and select Synchronize With Primary Domain Controller.

Q. Users change their passwords in the NT domain every 30 days. Our primary domaincontroller is in New York, but we have users in our California office. When a California user changes their password, will they be able to use the new password immediately, or must they wait for replication to occur to a backup domain controller in California?
A. You must have a firm grasp of replication. In this case, waiting for a replication will not be necessary. If a BDC doesn’t recognize a user’s password, it will automatically appeal to the PDC to establish its validity.

Q. I’ve created logon scripts for my users on the primary domain controller. I’ve correctlymapped them in the properties of my users’ accounts. Some run, some do not. What should I check next?
A. The scripts should be replicated to all of your backup domain controllers. The domain controller that validates the logon is the one that runs the script.

Q. Is it possible to create a domain account from an NT member server?
A. Yes. By using User Manager for Domains, you can create the account from the member server. The account will actually be created on the primary domain controller, however.

Q. Someone just dropped a safe on our primary domain controller. What should we do next?
A. You should promote one of your backup domain controllers to become the primary domain controller.

Q. After the promotion, what happens if we bring the old PDC back online?
A. When the old PDC gets back online, its Netlogon service will fail. You can resolve this through Server Manager by first demoting it to a backup domain controller and then promoting it to a primary domain controller.

Q. One of your users logs on to the domain from his NT Workstation. Due to a network failure the following day, he is unable to contact a domain controller when he tries to log on. Can the user log on with his domain account?
A. Yes. He will be able to log on with locally cached credentials.

Q. Someone deleted the account of one of my backup domain controllers in Server Manager.When the BDC boots up, it is unable to authenticate to the primary domain controller, and its Netlogon service fails. What can I do?
A. Either restore the account from a backup or reinstall the backup domain controller from scratch.

Q. How can I promote one of my member servers to become a backup domain controller?
A. You can’t. You must reinstall the entire operating system as a domain controller (either a backup or primary domain controller).

Q. Does it matter which of my domain controllers I upgrade to Windows 2000 first?
A. Yes. You must upgrade the primary domain controller to Windows 2000 before any of the backup domain controllers.

Q. What about the member servers and workstations? Must I upgrade them in any particularorder?
A. No. member servers and workstations can be upgraded in any order.

Active Directory

In order to manage an Active Directory Services environment, you must be comfortable with planning, security and permissions, authentication, and synchronization. The following questions may be asked by the interviewer to assess your experience with performing these functions.

Q. What rights must your logged-in account have when creating a Windows 2000 forest?
A. You must understand rights and permissions thoroughly. In this instance, the account must have administrative rights on the Windows 2000 server used to create the new forest.

Q. What rights must your account have when adding a domain to an existing forest?
A. In this case, you must be a member of the Enterprise Administrators group.

Q. My account has the proper rights, but when I try to create a new domain I get an error message stating that the Domain Naming Master cannot be contacted. What does this mean?
A. An experienced network administrator will be able to readily troubleshoot for problems such as this one. This scenario can mean network connectivity issues or a failed Domain Naming Master, which is the domain controller for the forest root domain.

Q. Why is Domain Name System (DNS) so important to an Active Directory forest?
A. As a network administrator you must understand name resolution. DNS is critical to your forest because it possesses all of the service (SRV) records. These records indicate the TCP/IP address and port necessary to locate a specific service offered by a server.

Q. Does the DNS server have to be a Windows 2000 server?
A. This is a trick question. DNS is independent of Windows 2000 and so the answer is no. To support Active Directory, the DNS server must support two BIND (Berkeley Internet Name Domain) version standards: 4.9.6 (SRV records) and 8.1.2 (dynamic updates).

Q. What rights does a user need in order to create computer accounts in an Active Directory domain?
A. By default, a user only needs to be recognized as a member of the Authenticated Users group to add workstations to a domain. This permission is established in the Default Domain Controllers policy, and permits users to create up to ten accounts.

Q. Is it possible to have entirely separate domain name spaces within the same forest?
A. When it comes to Active Directory, you must have a thorough understanding of forest limitations. In this case, you can have multiple domain name spaces within the same forest.

Q. Do clocks synchronize automatically between Windows 2000 computers?
A. This question tests your understanding of Active Directory synchronization. Clocks do synchronize only within a domain. The Primary Domain Controller Emulator handles this task for you. But there is no server that automatically synchronizes clocks between your separate domains.

Q. To create Group Policy objects in a domain, what group must you be a member of?
A. You must be a member of the Group Policy Creator Owners group in your domain to create these objects.

Q. Is it possible to prevent the application of a Group Policy to a user account within one of our organizational units?
A. To prevent the application of a
Group Policy to a user, you would deny the Read and Apply Group Policy permissions to the user in that organizational unit.

Q. Is it possible to schedule replication between two domain controllers in Active Directory?
A. This question assesses your knowledge of configuration options for domain controllers within Active Directory. In this case, place the domain controllers in different sites. Then set the schedule on the Site Link object that connects the sites.

Q. My Windows 98 users cannot search for published objects in our Active Directory domain. How do I add this capability to their computers?
A. Add the DSClient utility to their computers from the Windows 2000 Server CD.

Q. What are some of the ways of propagating permissions set on an Active Directory object to lower-level child objects?
A. Administering security is a big part of an administrator’s job. One way to accomplish this task is the following: On the Security tab of the parent object, click the Advanced button. Using the special permissions list, be sure to select “Apply onto…This object and all child objects.” Another method is to use the Delegation of Control Wizard.

Q. An organization is running a web site using Internet Information Server 5.0 on a Windows2000 Server. The site allows both Anonymous and Integrated Windows authentication. When our domain users connect to the site, which authentication method is used?
A. Understanding authentication modes is a critical part to troubleshooting and effectively securing resources. In this case, they will authenticate as the Anonymous account. An exception to this would be seen if the Anonymous account lacked permissions to a particular resource on the web site, in which case Integrated Windows authentication would be attempted.

Q. How can I move the Active Directory database and log files to a different drive on the domain controller?
A. This can be accomplished by rebooting the domain controller using Directory Services Restore Mode and running the Ntdsutil tool.

Q. An administrator accidentally deleted an entire organizational unit containing 200 users from our domain. How can you recover the organizational unit?
A. Everyone has these types of situations. You must know how to recover from these mistakes. In this case, rebooting a domain controller using Directory Services Restore Mode and conducting an authoritative restore of the OU from a backup will solve the problem.

Q. We demoted our Primary Domain Controller Emulator to become a member server in our domain. What do we need to do to transfer the PDC Emulator role to another domain controller?
A. This question tests how well you understand how the PDC Emulator works. In this situation, the role was automatically transferred when the former PDC Emulator was demoted.

Technical Interview Questions Active Directory/Network/Exchange

1) What is an IP address?

An Internet Protocol (IP) address is a numerical label that is assigned to devices participating in a computer network utilizing the Internet

an IP address is a 32-bit number thatidentifies each sender or receiver of information that is sent in packets across the lan/Internet.

An IP address has two parts: the identifier of a particular network on the Internet and an identifier of the particular device (which can be a server or a workstation) within that network. On the Internet itself – that is, between the router that move packets from one point to another along the route – only the network part of the address is looked at.

2) What is a subnet mask?
A subnet mask allows you to identify which part of an IP address is reserved for the network, and which part is available for host use. If you look at the IP address alone, especially now with classless inter-domain routing, you can’t tell which part of the address is which. Adding the subnet mask, or netmask, gives you all the information you need to calculate network and host portions of the address with ease. In summary, knowing the subnet mask can allow you to easily calculate whether IP addresses are on.
Subnetting enables the network administrator to further divide the host part of the address into two or more subnets.

3) What is ARP?
Short for Address Resolution Protocol, a network layer protocol used to convert an IP address into a physical address (called a DLC address), such as anEthernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the IP address in the request then replies with its physical hardware address.
ARP is a very important part of IP networking. ARP is used to connect OSI Layer 3 (Network) to OSI Layer 2 (Data- Link). For most of us, that means that ARP is used to link our IP addressing to our Ethernet addressing (MAC Addressing). For you to communicate with any device on your network, you must have the Ethernet MAC address for that device. If the device is not on your LAN, you go through your default gateway (your router). In this case, your router will be the destination MAC address that your PC will communicate with.

4) What is ARP Cache Poisoning?
a method of attacking an Ethernet LAN by updating the target computer’s ARP cache with both a forged ARP request and reply packets in an effort to change the Layer 2 Ethernet MAC address (i.e., the address of the network card) to one that the attacker can monitor. Because the ARP replies have been forged, the target computer sends frames that were meant for the original destination to the attacker’s computer first so the frames can be read. A successful APR attempt is invisible to the user.
ARP cache poisoning, also known as ARP spoofing, is the process of falsifying the source Media Access Control (MAC) addresses of packets being sent on an Ethernet network. It is a MAC layer attack that can only be carried out when an attacker is connected to the same local network as the target machines, limiting its effectiveness only to networks connected with switches, hubs, and bridges; not routers.

5) What is the ANDing process?
In order to determine whether a destination host is local or remote, a computer will perform a simple mathematical computation referred to as an AND operation. While the sending host does this operation internally, understanding what takes place is the key to understanding how an IP-based system knows whether to send packets directly to a host or to a router.

Notice that when the resulting AND values are converted back to binary, it becomes clear that the two hosts are on different networks. Computer A is on subnet 192.168.56.0, while the destination host is on subnet 192.168.64.0, which
means that Computer A will next be sending the data to a router. Without ANDing, determining local and remote hosts can be difficult. Once you’re very familiar with subnetting and calculating ranges of addresses, recognizing local and remote hosts will become much more intuitive. Whenever you’re in doubt as to whether hosts are local or remote, use the ANDing process. You should also notice that the ANDing process always produces the subnet ID of a given host.

6) What is a default gateway? What happens if I don’t have one?
A default gateway is used by a host when an IP packet’s destination address belongs to someplace outside the local subnet. The default gateway address is usually an interface belonging to the LAN‘s border router.
In computer networking, a default network gateway is the device that passes traffic from the local subnet to devices
on other subnets. The default gateway often connects a local network to the Internet, although internal gateways for connecting two local networks also exist.

7) Can a workstation computer be configured to browse the Internet and yet NOT have a default gateway?
If we are using public ip address, we can browse the internet. If it is having an intranet address a gateway is needed as a router or firewall to communicate with internet.

8) What is a subnet?
A portion of a network which shares a network address in which each component is identified by a subnet number.
A subnet is a logical organization of network address ranges used to separate hosts and network devices from each other to serve a design purpose.
In many cases, subnets are created to serve as physical or geographical separations similar to those found between rooms, floors, buildings, or cities.

9) What is APIPA?
Short for Automatic Private IP Addressing, a feature of later Windows operating systems. With APIPA, DHCP clients can automatically self-configure an IP address and subnet mask when a DHCPserver isn’t available. When a DHCP client boots up, it first looks for a DHCP server in order to obtain an IP address and subnet mask. If the client is unable to find the information, it uses APIPA to automatically configure itself with an IP address from a range that has been reserved especially for Microsoft. The IP address range is 169.254.0.1 through 169.254.255.254. The client also configures itself with a default class B subnet mask of 255.255.0.0. A client uses the self- configured IP address until a DHCP server becomes available.

The APIPA service also checks regularly for the presence of a DHCP server (every five minutes, according to Microsoft). If it detects a DHCP server on the network, APIPA stops, and the DHCP server replaces the APIPA networking addresses with dynamically assigned addresses.
APIPA is meant for non routed small business environments,
usually less than 25 clients.

10) What is an RFC? Name a few if possible (not necessarily the numbers, just the ideas behind them)
Short for Request for Comments, a series of notes about the Internet, started in 1969 (when the Internet was the ARPANET). An Internet Document can be submitted to the IETF by anyone, but the IETF decides if the document becomes an RFC. Eventually, if it gains enough interest, it may evolve into an Internet standard.
Each RFC is designated by an RFC number. Once published, an RFC never changes. Modifications to an original RFC are assigned a new RFC number.

11) What is RFC 1918?
RFC 1918 is Address Allocation for Private Internets The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the
IP address space for private internets: 10.0.0.0 -
10.255.255.255 (10/8 prefix) 172.16.0.0 – 172.31.255.255
(172.16/12 prefix) 192.168.0.0 – 192.168.255.255
(192.168/16 prefix) We will refer to the first block as “24-bit block”, the second as “20-bit block”, and to the third as “16-bit” block. Note that (in pre-CIDR notation) the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B network numbers, and third block is a set of 256 contiguous class C network numbers.

12) What is CIDR?
CIDR (Classless Inter-Domain Routing, sometimes known as supernetting) is a way to allocate and specify the Internet addresses used in inter-domain routing more flexibly than with the original system of Internet Protocol (IP) address classes. As a result, the number of available Internet addresses has been greatly increased.

13. You have the following Network ID:
192.115.103.64/27.What is the IP range for your network?

It ranges from 192.115.103.64 – 192.115.103.96

But the usable address are from 192.115.103.64 -
192.115.103.94

192.115.103.95 – it is the broadcast address
192.115.103.96 – will be the ip address of next range

we can use 30 hosts in this network

14.You have the following Network ID: 131.112.0.0. You need at least 500 hosts per network. How many networks can you create? What subnet mask will you use?
If you need 500 users then 2^9th would give you 512 (remember the first and last are network and broadcast), 510 usable. So of your 32 bits you would turn the last 9 off for host and that would give you give you a 255.255.254.0 subnet mask
(11111111.11111111.11111110.00000000).
Now that we know that
we can see that you have the first 7 of your third octet turned on so to figure out how many subnets you have us the formula
2^7th= 128. So you can have 128 subnets with 500 people on them.

15.You need to view at network traffic. What will you use? Name a few tools
winshark or tcp dump , or ethereal (available in our file server)

16. How do I know the path that a packet takes to the destination?
use “tracert” command-line

17. What does the ping 192.168.0.1 -l 1000 -n 100 command do?
The ping command will send roundtrip packets to a destination ( other PC, router, printer, etc. ) and see how long it takes. The 192.168.0.1
is the destination ( which, by the way is a typical default IP address of a router. ) The -l 1000 is how big the packet should be in bytes. The default is 32, if the -l parameter is not used. And the -n 100 is saying to send it 100 times. The default is 4, when this parameter is not used.

18. What is DHCP? What are the benefits and drawbacks of using it?
Benefits:
1. DHCP minimizes configuration errors caused by manual IP address configuration.
2. Reduced network administration.

Disadvantage
Your machine name does not change when you get a new IP address. The DNS (Domain Name System) name is associated with your IP address and therefore does change. This only presents a problem if other clients try to access your machine by its DNS name.

19.Describe the steps taken by the client and DHCP server in order to obtain an IP address.
* At least one DHCP server must exist on a network.
Once the DHCP server software is installed, you create a DHCP scope, which is a pool of IP addresses that the server manages. When clients log on, they request an IP address from the server, and the server provides an IP address from its pool of available addresses.
* DHCP was originally defined in RFC 1531 (Dynamic Host Configuration Protocol, October 1993) but the most recent update is RFC 2131 (Dynamic Host Configuration Protocol, March 1997). The IETF Dynamic Host Configuration (dhc) Working Group is chartered to produce a protocol for automated allocation, configuration, and management of IP addresses and TCP/IP protocol stack parameters.

20. What is the DHCPNACK and when do I get one? Name 2 scenarios.
Recently I saw a lot of queries regarding when the Microsoft DHCP server issues a NAK to DHCP clients.For simplification purposes, I am listing down the possible scenarios in which the server should NOT issue a NAK. This should give you a good understanding of DHCP NAK behavior.When a DHCP server receives a DHCPRequest with a previously assigned address specified, it first checks to see if it came from the local segment by checking the GIADDR field. If it originated from the local segment, the DHCP server compares the requested address to the IP address and subnet mask belonging to the local interface that received the request.
DHCP server will issue a NAK to the client ONLY IF it is sure that the client, “on the local subnet”, is asking for an address that doesn’t exist on that subnet.The server will send a NAK EXCEPT in the following scenarios:-

1. Requested address from possibly the same subnet but not in the address pool of the server:-
This can be the failover scenario in which 2 DHCP servers are serving the same subnet so that when one goes down, the other should not NAK to clients which got an IP from the first server.

2. Requested address on a different subnet:-
If the Address is from the same superscope to which the subnet belongs, DHCP server will ACK the REQUEST.

21. What ports are used by DHCP and the DHCP clients?
Requests are on UDP port 68, Server replies on UDP 67

22. Describe the process of installing a DHCP server in an AD infrastructure.
Use Add/Remove program wizard . . .

23. What is DHCPINFORM?
DHCPInform is a DHCP message used by DHCP clients to obtain DHCP options. While PPP remote access clients do not use DHCP to obtain IP addresses for the remote access connection, Windows 2000 and Windows 98 remote access clients use the DHCPInform message to obtain DNS server IP addresses, WINS server IP addresses, and a DNS domain name. The DHCPInform message is sent after the IPCP negotiation is concluded. The DHCPInform message received by the remote access server is then forwarded to a DHCP server. The remote access server forwards DHCPInform messages only if it has been configured with the DHCP Relay Agent..

24. Describe the integration between DHCP and DNS.
Traditionally, DNS and DHCP servers have been configured and managed one at a time. Similarly, changing authorization rights for a particular user on a group of devices has meant visiting each one and making configuration changes. DHCP integration with DNS allows the aggregation of these tasks across devices, enabling a company’s network services to scale in step with the growth of network users, devices, and policies, while reducing administrative operations and costs.

This integration provides practical operational efficiencies that lower total cost of ownership. Creating a DHCP network automatically creates an associated DNS zone, for example, reducing the number of tasks required of network administrators. And integration of DNS and DHCP in the same database instance provides unmatched consistency between service and management views of IP address-centric network services data.

25.What options in DHCP do you regularly use for an MS network?
Automatic providing IP address
Subnet mask
DNS server
Domain name
Default getaway or router

26. What are User Classes and Vendor Classes in DHCP?
Microsoft Vendor Classes
The following list contains pre-defined vendor classes that are available in Windows 2000 DHCP server.

Class Data Class Name Description MSFT 5.0 Microsoft Windows
2000 options Class that includes all Windows 2000 DHCP
clients. MSFT 98 Microsoft
Windows 98 options Class that includes all Windows 98 and
Microsoft Windows Millennium Edition (Me) DHCP clients. MSFT
Microsoft options Class that includes
all Windows 98, Windows Me, and Windows 2000 DHCP clients.
If you have non-Microsoft DHCP clients, you can define other vendor-specific classes on the DHCP server. When you define such classes, make sure the vendor class identifier that you define matches the identifier used by the clients.

User Classes
The following list contains pre-defined user classes that
are available in Windows 2000 DHCP server.

Collapse this tableExpand this table

Class ID Class Type Description Unspecified Default user
class All DHCP clients that have no user class specified.
RRAS.Microsoft Default Routing and Remote Access class All Dial-Up Networking (DUN) clients. Bootp Default Bootp class All Bootp clients

In addition to these pre-defined classes, you can also add custom user classes for Windows 2000 DHCP clients. When you configure such classes, you must specify a custom identifier that corresponds to the user
class defined on the DHCP server.

27.How do I configure a client machine to use a specific User Class?
The command to configure a client machine to use a specific user class is
ipconfig /setclassid “<Name of your Network card>” <Name of the class you created on DHCP and you want to join (Name is case sensitive)>
Eg:
ipconfig /setclassid ” Local Area Network” Accounting

28. What is the BOOTP protocol used for, where might you find it in Windows network infrastructure?
BootP (RFC951) provides
* a unique IP address to the requester (using port 67) similar to the DHCP request on port 68 AND
* can provide (where supported) the ability to boot a system without a hard drive (ie: a diskless client)

Apple OS X 10.* Server supports BootP (albeit) renamed as NetBoot. The facility allows the Admin to maintain a selected set of configurations as boot images and then assign sets of client systems to share(or boot from) that image. For example Accounting, Management, and Engineering departments have elements in common, but which can be unique from other
departments. Performing upgrades and maintenance on three images is far more productive that working on all client systems individually.

Startup is obviously network intensive, and beyond 40-50 clients, the Admin needs to carefully subnet the infrastructure, use gigabit switches, and host the images local to the clients to avoid saturating the network. This will expand the number of BootP servers and multiply the number of images, but the productivity of 1 BootP server per 50 clients is
undeniable

Sunmicro, Linux, and AIX RS/600 all support BootP.
To date, Windows does not support booting “diskless clients”.

29. DNS zones – describe the differences between the 4 types.
Dns zone is actual file which contains all the records for a specific domain.

i)Forward Lookup Zones :-
This zone is responsible to resolve host name to ip.

ii)Reverse Lookup Zones :-
This zone is responsible to resolve ip to host name.

iii)Stub Zone :-
Stubzone is read only copy of primary zone.but it contains
only 3 records viz

the SOA for the primary zone, NS record and a Host (A) record.

30. DNS record types – describe the most important ones. Type of Record What it does

A (Host) Classic resource record. Maps hostname to IP(ipv4)

PTR Maps IP to hostname (Reverse of A (Host)

AAAA Maps hostname to ip (ipv6)

Cname Canonical name, in plain English an alias.such as Web Server,FTP Server, Chat Server

NS Identifies DNS name servers. Important for forwarders

MX Mail servers, particularly for other domains.MX records required to deliver internet email.

_SRV Required for Active Directory. Whole family of underscore service,records, for example, gc = global catalog.

SOA Make a point of finding the Start of Authority (SOA) tab at the
DNS Server.

31. Describe the process of working with an external domain name
Serving Sites with External Domain Name Servers , If you host Web sites on this server and have a standalone DNS server acting as a primary (master) name server for your sites, you may want to set up your control panel’s DNS server to function as a secondary (slave) name server:

To make the control panel’s DNS server act as a secondary name server:
1. Go to Domains > domain name > DNS Settings (in the Web Site group).
2. Click Switch DNS Service Mode.
3. Specify the IP address of the primary (master) DNS server.
4. Click Add.
5. Repeat steps from 1 to 5 for each Web site that needs to have a secondary name server on this machine.

To make the control panel’s DNS server act as a primary for a zone:
1. Go to Domains > domain name > DNS Settings (in the Web Site group).
2. Click Switch DNS Service Mode. The original resource records for the zone will be restored.

If you host Web sites on this server and rely entirely on other machines to perform the Domain Name Service for your sites (there are two external name servers – a primary and a secondary), switch off the control panel’s DNS service for each site served by external name servers.

To switch off the control panel’s DNS service for a site
served by an external name server:
1. Go to Domains > domain name > DNS Settings (in the Web Site group).
2. Click Switch Off the DNS Service in the Tools group.
Turning the DNS service off for the zone will refresh the screen, so that only a list of name servers remains.

Note: The listed name server records have no effect on the system. They are only presented on the screen as clickable links to give you a chance to validate the configuration of the zone maintained on the external authoritative name servers.

1. Repeat the steps from 1 to 3 to switch off the local domain name service for each site served by external name servers.

If you wish to validate the configuration of a zone maintained on authoritative name servers:
1. Go to Domains > domain name > DNS Settings (in the Web Site group).
2. Add to the list the entries pointing to the
appropriate name servers that are authoritative for the zone: click Add, specify a name server, and click OK. Repeat this for each name server you would like to test. The records will appear in the list.

1. Click the records that you have just created. Parallels Plesk Panel will retrieve the zone file from a remote name server and check the resource records to make sure that domain’s resources are properly resolved.
The results will be interpreted and displayed on the screen.

32. Describe the importance of DNS to AD.
When you install Active Directory on a server, you promote the server to the role of a domain controller for a specified domain. When completing this process, you are prompted to specify a DNS domain name for the Active Directory domain for which you are joining and promoting the server.If during this process, a DNS server authoritative for the domain that you
specified either cannot be located on the network or does not support the DNS dynamic update protocol, you are prompted with the option to install a DNS server. This option is provided because a DNS server is required to locate this server or other domain controllers for members of an Active Directory domain

33.Describe a few methods of finding an MX record for a remote domain on the Internet.
In order to find MX Records for SMTP domains you can use Command-line tools such as NSLOOKUP or DIG. You can also use online web services that allow you to perform quick searches and display the information in a convenient manner.

34. What does “Disable Recursion” in DNS mean?
In the Windows 2000/2003 DNS console (dnsmgmt.msc), under a server’s Properties -> Forwarders tab is the setting Do not use recursion for this domain. On the Advanced tab you will find the confusingly similar option Disable recursion (also disables forwarders).
Recursion refers to the action of a DNS server querying additional DNS servers (e.g. local ISP DNS or the root DNS servers) to resolve queries that it cannot resolve from its own database

35. What could cause the Forwarders and Root Hints to be grayed out?
Win2K configured your DNS server as a private root server

36. What is a “Single Label domain name” and what sort of issues can it cause?
Single-label names consist of a single word like “contoso”.
• Single-label DNS names cannot be registered by using an Internet registrar.
• Client computers and domain controllers that joined to single-label domains require additional configuration to ynamically register DNS records in
single-label DNS zones. • Client computers and domain controllers may require additional configuration to resolve DNS queries in single-label DNS zones.
• By default, Windows Server 2003-based domain members, Windows XP-based domain members, and Windows 2000-based domain members do not perform dynamic updates to single-label DNS zones.
• Some server-based applications are incompatible with single-label domain names. Application support may not exist in the initial release of an application, or support may be dropped in a future release. For example,
Microsoft Exchange Server 2007 is not supported in environments in which single-label DNS is
used.
• Some server-based applications are incompatible with the domain rename feature that is supported in Windows Server 2003 domain controllers and in Windows Server 2008 domain controllers. These incompatibilities either block or complicate the use of the domain rename feature when you try to rename a single-label DNS name to a fully qualified domain name.

37. What is the “in-addr.arpa” zone used for?
When creating DNS records for your hosts, A records make sense. After all, how can the world find your mail server unless the IP address of that server is associated with its hostname within a DNS database? However, PTR records aren’t as easily understood. If you already have a zone file, why
does there have to be a separate in-addr.arpa zone containing PTR records matching your A records? And who should be making those PTR records–you or your provider? Let’s start by defining in-addr.arpa. .arpa is actually a TLD like .com or .org. The name of the TLD comes from Address and Routing Parameter Area and it has been designated by the IANA to be used exclusively for Internet infrastructure purposes. In other words, it is an important zone and an integral part of the inner workings of DNS. The
RFC for DNS (RFC 1035) has an entire section on the in-addr.arpa domain. The first two paragraphs in that section state the purpose of the domain: “The Internet uses a special domain to support gateway location and Internet address to host mapping. Other classes may employ a similar
strategy in other domains. The intent of this domain is to provide a guaranteed method to perform host address to host name mapping, and to facilitate queries to locate all gateways on a particular network in the Internet. Note that both of these services are similar to functions that could be performed by inverse queries; the difference is that this part of the domain name space is structured according to address, and hence can guarantee that the appropriate data can be located without an exhaustive search of the domain space.” In other words, this zone provides a database of all allocated networks and the DNS reachable hosts within those networks. If your assigned network does not appear in this zone, it appears to be unallocated. And if your hosts don’t have a PTR record in this database, they appear to be unreachable through DNS. Assuming an A record exists for a host, a missing PTR record may or may not impact on the DNS reachability of that host, depending upon the applications running on that host. For example, a mail server will definitely be impacted as PTR records are used in mail header checks and by most anti-SPAM mechanisms. Depending upon your web server configuration, it may also depend upon an existing PTR record. This is why the DNS RFCs recommend that every A record has an associated PTR record. But who should make and host those PTR records? Twenty years ago when you could buy a full Class C network address (i.e. 254 host addresses) the answer was easy: you. Remember, the in-addr.arpa zone is concerned with delegated network addresses. In other words, the owner of the network address is authoritative (i.e. responsible) for the host PTR records associated with that network address space. If you only own one or two host addresses within a network address space, the provider you purchased those addresses from needs to host your PTR records as the provider is the owner of (i.e. authoritative for) the network address. Things are a bit more interesting if you have been delegated a CIDR block of addresses. The in-addr.arpa zone assumes a classful addressing scheme where a Class A address is one octet (or /8), a Class B is 2 octets (or /16) and a Class C is 3 octets (or /24). CIDR allows for delegating address space outside of these boundaries–say a /19 or a /28. RFC 2317 provides a best current practice for maintaining in-addr.arpa with these types of network allocations. Here is a summary regarding PTR records: • Don’t wait until users complain about DNS unreachability–be proactive and ensure there is an associated PTR record for every A record. • If your provider hosts your A records, they should also host your PTR records. • If you only have one or two assigned IP addresses, your provider should host your PTR records as they are authoritative for the network those hosts belong to. • If you own an entire network address (e.g. a Class C
address ending in 0), you are responsible for hosting your PTR records. • If you are configuring an internal DNS server within the private address ranges (e.g. 10.0.0.0 or
192.168.0.0), you are responsible for your own internal PTR records. • Remember: the key to PTR hosting is knowing who is authoritative for the network address for your domain. When in doubt, it probably is not you.

38. What are the requirements from DNS to support AD?
When you install Active Directory on a member server, the member server is promoted to a domain controller. Active Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain IP addresses of domain controllers. During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically registered in DNS, which are necessary for the successful functionality of the domain controller locator (Locator) mechanism.
To find domain controllers in a domain or forest, a client queries DNS for the SRV and A DNS resource records of the domain controller, which provide the client with the names and IP addresses of the domain controllers. In this context, the SRV and A resource records are referred to as Locator DNS resource records. When adding a domain controller to a forest, you are updating a DNS zone hosted on a DNS server with the Locator DNS resource records and identifying the domain controller. For this reason, the DNS zone must allow dynamic updates (RFC 2136) and the DNS server hosting that zone must support the SRV resource records (RFC 2782) to advertise the Active Directory directory service. For more information about RFCs, see DNS RFCs.
If the DNS server hosting the authoritative DNS zone is not a server running Windows 2000 or Windows Server 2003, contact your DNS administrator to determine if the DNS server supports the required standards. If the server does not support the required standards, or
the authoritative DNS zone cannot be configured to allow dynamic updates, then modification is required to your existing DNS infrastructure.

39. How do you manually create SRV records in DNS?
this is on windows server
go to run —> dnsmgmt.msc
rightclick on the zone you want to add srv record to and choose “other new record” and choose service location(srv)…..

40. Name 3 benefits of using AD-integrated zones.
1. you can give easy name resolution to ur clients.
2. By creating AD- integrated zone you can also trace hacker and spammer by creating reverse zone.
3. AD integrated zoned all for incremental zone transfers which on transfer changes and not the entire zone. This reduces zone transfer traffic.
4. AD Integrated zones suport both secure and dmanic updates.
5. AD integrated zones are stored as part of the active directory and support domain-wide or forest-wide replication through application pertitions in AD.
41. What are the benefits of using Windows 2003 DNS when using AD-integrated zones?

Advantages:
DNS supports Dynamic registration of SRV records registered by a Active Directory server or a domain controller during promotion. With the help of SRV records client machines can find domain controllers in the network.
1. DNS supports Secure Dynamic updates. Unauthorized access is denied.
2. Exchange server needs internal DNS or AD DNS to locate Global Catalog servers.
3. Active Directory Integrated Zone. If you have more than
one domain controller (recommended) you need not worry about
zone replication. Active Directory replication will take care of DNS zone replication also.
4. If your network use DHCP with Active Directory then no other DHCP will be able to service client requests coming from different network. It is because DHCP server is authorized in AD and will be the only server to participate on network to provide IP Address information to client machines.

5. Moreover, you can use NT4 DNS with Service Pack 4 or later. It supports both SRV record registration and Dynamic Updates.
Using Microsoft DNS gives the following benefits:
If you implement networks that require secure updates.
If you want to take benefit of Active Directory replication.
If you want to integrate DHCP with DNS for Low-level clients
to register their Host records in Zone database.

42. You installed a new AD domain and the new (and first) DC has not registered its SRV records in DNS. Name a few possible causes.
The machine cannot be configured with DNS client her own
The DNS service cannot be run

43. What are the benefits and scenarios of using Stub zones?
One of the new features introduced in the Windows Server 2003-based implementation of DNS are stub zones. Its main purpose is to provide name resolution in domains, for which a local DNS server is not authoritative. The stub zone contains only a few records:

- Start of Authority (SOA)
record pointing to a remote DNS server that is considered to be the best source of information about the target DNS domain, – one or more Name Server (NS) records (including the entry associated with the SOA record), which are authoritative for the DNS domain represented by the stub zone, – corresponding A records for each of the NS entries (providing IP addresses of the servers). While you can also provide name resolution for a remote domain by either creating a secondary zone (which was a common approach in
Windows Server 2000 DNS implementation) or delegation (when dealing with a contiguous namespace), such approach forces periodic zone transfers, which are not needed when stub zones are used. Necessity to traverse network in order to obtain individual records hosted on the remote Name Servers is mitigated to some extent by caching process, which keeps them on the local server for the duration of their Time-to-Live (TTL) parameter. In addition, records residing in a stub zone are periodically validated and refreshed in order to avoid lame delegations.

45. What are the differences between Windows Clustering, Network Load Balancing and Round Robin, and scenarios for each use?

I will make a few assumptions here:

1) By “Windows Clustering Network Load Balancing” you mean Windows Network
Load Balancing software included in Windows Server software a.k.a NLB., and
2) By Round Robin, you mean DNS Round Robin meaning the absence of a software or hardware load balancing device, or the concept of the Round Robin algorithm available in just about every load balancing solution.

Microsoft NLB is designed for a small number (4 – 6) of Windows Servers and a low to moderate number of new connections per second, to provide distribution of web server requests to multiple servers in a virtual resource pool. Some would call this a “cluster”, but there are suttle differences between a clustered group of devices and a more loosely configured virtual pool. From the standpoint of scalability and performance, almost all hardware load balancing solutions are superior to this and other less known software load balancing solutions [e.g. Bright Tiger circa 1998].

DNS Round Robin is an inherent load balancing method built into DNS. When you resolve an IP address that has more than one A record, DNS hands out different resolutions to different requesting local DNS servers. Although there are several factors effecting the exact resulting algorithm (e.g. DNS caching, TTL, multiple DNS servers [authoritative or cached]), I stress the term “roughly” when I say it roughly results in an even distribution of resolutions to each of the addresses specified for a particular URL. It does not however, consider availability, performance, or any other metric and is completely static. The basic RR algorithm is available in many software and hardware load balancing solutions and simply hands the next request to the next resource and starts back at the first resource when it hits the last one.

NLB is based on proprietary software, meant for small groups of Windows servers only on private networks, and is dynamic in nature (takes into account availability of a server, and in some cases performance). “Round Robin”, DNS or otherwise, is more generic, static in nature (does not take into account anything but the resource is a member of the resource pool and each member is equal), and ranges from DNS to the default static load balancing method on every hardware device in the market.

47. How do I clear the DNS cache on the DNS server?
To clear the server names cache
* Using the Windows interface
* Using a command line

Using the Windows interface

1. Open DNS.

2. In the console tree, click the applicable DNS server.

Where?

* DNS/applicable DNS server

3. On the Action menu, click Clear Cache.

Notes

* To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

* To open DNS, click Start, click Control Panel,
double-click Administrative Tools, and then double-click DNS.

Using a command line

1. Open Command Prompt.

2. Type the following command and then press ENTER:

Dnscmd ServerName /clearcache

48. What is the 224.0.1.24 address used for?

WINS server group address. Used to support autodiscovery and dynamic configuration of replication for WINS servers. For more information, see WINS replication overview WINS server group address. Used to support autodiscovery and dynamic configuration of replication for WINS servers.

49. What is WINS and when do we use it?

In the Windows Server family, the primary means for client computer to locate and communicate with other computers on an Internet Protocol (IP) network is by using Domain Name
System (DNS). However, clients that use older versions of Windows, such as Windows NT 4.0, use network basic I/O system (NetBIOS) names for network communication. Some applications that run on Windows Server 2003 may also use NetBIOS names for network communication. Using NetBIOS names requires a method of resolving NetBIOS names to IP . Using a WINS server is essential for any Windows client computer to work with other Windows computers over the Internet. In addition, using a WINS server is essential for any Windows client computer at Indiana University that intends to use Microsoft network resources. To use WINS services, you must insert into your TCP/IP networking configuration the IP address of the WINS servers you wish to use.

51. Describe the differences between WINS push and pull replications.

To replicate database entries between a pair of WINS servers, you must configure each WINS server as a pull partner, a push partner, or both with the other WINS server.

* A push partner is a WINS server that sends a message to its pull partners, notifying them that it has new WINS database entries. When a WINS server’s pull partner responds to the message with a replication request, the WINS server sends (pushes) copies of its new WINS database entries (also known as replicas) to the requesting pull partner.
* A pull partner is a WINS server that pulls WINS database entries from its push partners by requesting any new WINS database entries that the push partners have. The pull partner requests the new WINS database entries that have a higher version number than the last entry the pull
partner received during the most recent replication.

52. What is the difference between tombstoning a WINS record and simply deleting it?
Simple deletion removes the records that are selected in the WINS console only from the local WINS server you are currently managing. If the WINS records deleted in this way exist in WINS data replicated to other WINS servers on your network, these additional records are not fully removed.
Also, records that are simply deleted on only one server can reappear after replication between the WINS server where simple deletion was used and any of its replication partners. Tombstoning marks the selected records as tombstoned, that is, marked locally as extinct and immediately released from active use by the local WINS server. This method allows the tombstoned records to remain present in the server database for purposes of subsequent replication of these records to other servers. When the tombstoned records are replicated, the tombstone status is updated and applied by other WINS servers that store replicated copies of these records. Each replicating WINS server then updates and tombstones

54. Describe the role of the routing table on a host and on a router.
During the process of routing, decisions of hosts and routers are aided by a database of routes known as the routing table. The routing table is not exclusive to a router. Depending on the routable protocol, hosts may also have a routing table that may be used to decide the best router for the packet to be forwarded. Host-based routing tables are optional for the Internet Protocol, as well as obsolete routable protocols such as IPX.

55. What are routing protocols? Why do we need them? Name a few.
A routing protocol is a protocol that specifies how routers communicate with each other, disseminating information that enables them to select routes between any two nodes on a computer network, the choice of the route being done by routing algorithms. Each router has a prior knowledge only of networks attached to it directly. A routing protocol shares this information first among immediate neighbors, and then throughout the network. This way, routers gain knowledge of the topology of the network. For a discussion of the concepts behind routing protocols, see: Routing.

The term routing protocol may refer specifically to one operating at layer three of the OSI model, which similarly disseminates topology information between routers.
Many routing protocols used in the public Internet are defined in documents called RFCs.[1][2][3][4]
Although there are many types of routing protocols, two major classes are in widespread use in the Internet:
link-state routing protocols, such as OSPF and IS-IS; and
path vector or distance vector protocols, such as BGP, RIP
and EIGRP.

56. What are router interfaces? What types can they be?
Routers can have many different types of connectors; from Ethernet, Fast Ethernet, and Token Ring to Serial and ISDN ports. Some of the available configurable items are logical addresses (IP,IPX), media types, bandwidth, and administrative commands. Interfaces are configured in interface mode which you get to from global configuration mode after logging in.
The media type is Ethernet, FastEthernet, GigabitEthernet,
Serial, Token-ring, or other media types. You must keep in
mind that a 10Mb Ethernet interface is the only kind of Ethernet interface called Ethernet. A 100Mb Ethernet interface is called a FastEthernet interface and a 1000Mb Ethernet interface is called a GigabitEthernet interface.

58. What is NAT?
Windows Server 2003 provides network address translation (NAT) functionality as a part of the Routing and Remote Access service. NAT enables computers on small- to medium-sized organizations with private networks to access resources on the Internet or other public network. The
computers on a private network are configured with reusable private Internet Protocol version 4 (IPv4) addresses; the computers on a public network are configured with globally unique IPv4 (or, rarely at present, Internet Protocol version 6 [IPv6]) addresses. A typical deployment is a small office or home office (SOHO), or a medium-sized businesss, that uses Routing and Remote Access NAT technology to enable computers on the internal corporate network to connect to resources on the Internet without having to deploy a proxy server.

59. What is the real difference between NAT and PAT?
Take NAT (Network Address Translation) and PAT (Port Address Translation). NAT allows you to translate or map one IP address onto another single ip address. PAT on the other hand is what is most commonly referred to as NAT. In a PAT system you have a single or group of public IP addresses that are translated to multiple internal ip addresses by mapping the TCP/UDP ports to different ports. This means that by using some “magic” on a router or server you can get around problems that you might have with two web browsers sending a request out the same port.

60. How do you configure NAT on Windows 2003?
http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html

Configure Routing and Remote Access
To activate Routing and Remote Access, follow these steps:
1. Click Start, point to All Programs, point to
Administrative Tools, and then click Routing and Remote Access.
2. Right-click your server, and then click Configure and
Enable Routing and Remote Access.
3. In the Routing and Remote Access Setup Wizard, click
Next, click Network address translation (NAT), and then
click Next.
4. Click Use this public interface to connect to the
Internet, and then click the network adapter that is
connected to the Internet. At this stage you have the option
to reduce the risk of unauthorized access to your network.
To do so, click to select the Enable security on the
selected interface by setting up Basic Firewall check box.
5. Examine the selected options in the Summary box, and
then click Finish.

Configure dynamic IP address assignment for private network clients You can configure your Network Address Translation computer to act as a Dynamic Host Configuration Protocol (DHCP) server for computers on your internal network.
follow these steps:

1. Click Start, point to All Programs, point to
Administrative Tools, and then click Routing and Remote Access.
2. Expand your server node, and then expand IP Routing.
3. Right-click NAT/Basic Firewall, and then click Properties.
4. In the NAT/Basic Firewall Properties dialog box, click the Address Assignment tab.
5. Click to select the Automatically assign IP addresses
by using the DHCP allocator check box. Notice that default
private network 192.168.0.0 with the subnet mask of
255.255.0.0 is automatically added in the IP address and the Mask boxes. You can keep the default values, or you can
modify these values to suit your network.
6. If your internal network requires static IP assignment for some computers — such as for domain controllers or for DNS servers — exclude those IP addresses from the DHCP pool. To do this, follow these steps:
1. Click Exclude.
2. In the Exclude Reserved Addresses dialog box,
click Add, type the IP address, and then click OK.
3. Repeat step b for all addresses that you want to exclude.
4. Click OK.

Configure name resolution To configure name resolution, follow these steps:
1. Click Start, point to All Programs, point to
Administrative Tools, and then click Routing and Remote Access.
2. Right-click NAT/Basic Firewall, and then click Properties.
3. In the NAT/Basic Firewall Properties dialog box, click the Name Resolution tab.
4. Click to select the Clients using Domain Name System
(DNS) check box. If you use a demand-dial interface to
connect to an external DNS server, click to select the
Connect to the public network when a name needs to be
resolved check box, and then click the appropriate dial-up
interface in the list.

61. How do you allow inbound traffic for specific hosts on Windows 2003 NAT?
You can use the Windows Server 2003 implementation of IPSec to compensate for the limited protections provided by applications for network traffic, or as a network-layer foundation of a defense-in-depth strategy. Do not use IPSec as a replacement for other user and application security
controls, because it cannot protect against attacks from within established and trusted communication paths. Your authentication strategy must be well defined and implemented for the potential security provided by IPSec to be realized, because authentication verifies the identity and trust of the computer at the other end of the connection.

62. What is VPN? What types of VPN does Windows 2000 and beyond work with natively?
VPN gives extremely secure connections between private
networks linked through the Internet. It allows remote
computers to act as though they were on the same secure,
local network.

L2TP (layer 2 tunneling protocol )
vpn server is also know as L2TP server in native mode & in
PPTP in mixed mode

63. What is IAS? In what scenarios do we use it?
IAS is called as Internet Authentication Service. It’s used by for configuring centralised authentication using RADIUS server.

64. What’s the difference between Mixed mode and Native mode in AD when dealing with RRAS?
When you are in Mixed mode certain options in the dial-in tab of the user proeprties are disabled. And some of the RRAS policies are also disabled. So if you want high level security with all the advanced feature then change the AD to Native mode.

65. What is the “RAS and IAS” group in AD?
Used for managing security and allowing administration for the respective roles of the server.

66. What are Conditions and Profile in RRAS Policies?
The conditions and profiles are used to set some restrictions based on the media type, connection method, group membership and lot more. So if used matches those conditions mentioned in the profile then he can allowed /
denied access to RAS / VPN server.

67. What types or authentication can a Windows 2003 based RRAS work with?
It supports authentication methods like MSCHAPv2, MSCHAP, SPAP, EAP, Digest authentication. ( You can check it by going to properties of your server in RRAS )

68. How does SSL work?
Internet communication typically runs through multiple program layers on a server before getting to the requested data such as a web page or cgi scripts.

The outer layer is the first to be hit by the request. This is the high level protocols such as HTTP (web server), IMAP (mail server), and FTP (file transfer).

Determining which outer layer protocol will handle the request depends on the type of request made by the client. This high level protocol then processes the request through the Secure Sockets Layer. If the request is for a non-secure connection it passes through to the TCP/IP layer and the server application or data.

If the client requested a secure connection the ssl layer initiates a handshake to begin the secure communication process. Depending on the SSL setup on the server, it may require that a secure connection be made before allowing communication to pass through to the TCP/IP layer in which
case a non-secure request will send back an error asking for them to retry securely (or simply deny the non-secure
connection).

69. How does IPSec work?
IPSec is an Internet Engineering Task Force (IETF) standard suite of protocols that provides data authentication, integrity, and confidentiality as data is transferred between communication points across IP networks. IPSec provides data security at the IP packet level. A packet is a data bundle that is organized for transmission across a network, and it includes a header and payload (the data in the packet). IPSec emerged as a viable network security standard because enterprises wanted to ensure that data could be securely transmitted over the Internet. IPSec protects against possible security exposures by protecting data while in transit.

70. How do I deploy IPSec for a large number of computers?
Just use this program Server and Domain Isolation Using IPsec and Group Policy

71. What types of authentication can IPSec use?

Deploying L2TP/IPSec-based Remote Access
Deploying L2TP-based remote access VPN connections using Windows Server 2003 consists of the following:
* Deploy certificate infrastructure
* Deploy Internet infrastructure
* Deploy AAA infrastructure
* Deploy VPN servers
* Deploy intranet infrastructure
* Deploy VPN clients

* Implantar certificado infra-estrutura
* Implantar infra-estrutura Internet
* Implantar infra-estrutura AAA
* Implementar VPN servidores
* Implantar intranet infra-estrutura
* Implementar clientes VPN

72. What is PFS (Perfect Forward Secrecy) in IPSec?
In an authenticated key-agreement protocol that uses public key cryptography, perfect forward secrecy (or PFS) is the property that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the (long-term) private keys is compromised in the future. Forward secrecy has been used as a synonym for perfect forward secrecy [1], since the term perfect has been controversial in this context. However, at least one reference [2] distinguishes perfect forward secrecy from forward secrecy with the additional property that an agreed key will not be compromised even if agreed keys derived from the same long-term keying material in a subsequent run are compromised.

73. How do I monitor IPSec?
To test the IPSec policies, use IPSec Monitor. IPSec Monitor (Ipsecmon.exe) provides information about which IPSec policy is active and whether a secure channel between computers is established.

74. Looking at IPSec-encrypted traffic with a sniffer. What packet types do I see?
You can see the packages to pass, but you can not see its
contents

IPSec Packet Types
IPSec packet types include the authentication header (AH) for data integrity and the encapsulating security payload (ESP) for data confidentiality and integrity. The authentication header (AH) protocol creates an envelope that provides integrity, data origin identification and protection against replay attacks. It authenticates every packet as a defense against session-stealing attacks. Although the IP header itself is outside the AH header, AH also provides limited verification of it by not allowing changes to the IP header after packet creation (note that this usually precludes the use of AH in NAT environments, which modify packet headers at the point of NAT). AH packets use IP protocol 51. The encapsulating security payload (ESP) protocol provides the features of AH (except for IP header authentication), plus encryption. It can also be used in a null encryption mode that provides the AH protection against replay attacks and other such attacks, without encryption or IP header
authentication. This can allow for achieving some of the benefits of IPSec in a NAT environment that would not ordinarily work well with IPSec. ESP packets use IP protocol 50.

75. What can you do with NETSH?
Netsh is a command-line scripting utility that allows you to, either locally or remotely, display, modify or script the network configuration of a computer that is currently running.

76. How do I look at the open ports on my machine?
Windows: Open a command prompt (Start button -> Run-> type
“cmd”), and type: netstat -a

Linux: Open an SSH session and type:
netstat –an

Technical Support

Monday, August 06, 2018

Technical Interview Questions Active Directory / Newtork / Exchange

Technical Interview Questions Active Directory/Network/Exchange

Explaining DNS Concepts - DNS Servers-DNS Queries-DNS Records

Pages

Search This Blog