QA for Active Directory

1.What’s the difference between local, global and universal groups? Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.


AGLP – Create Account à Add it to a global group à Add that to a local group à then Provide the permission.


AGULP – Create Account à Add it to a global group àThe Universal group à Add that to a local group à then Provide the permission.


2.I am trying to create a new universal user group. Why can’t I? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.


3.What is LSDOU? It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.


4.Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exist, it has the highest priority among the numerous policies.


5.What is GPT and GPC? Group policy template and group policy container.


6.Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID


7.You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority? The computer settings take priority.


8.How can you restrict running certain applications on a machine? Via group policy, security settings for the group, then Software Restriction Policies.


9.You need to automatically install an app, but MSI file is not available. What do you do? A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer.


10.What’s the difference between Software Installer and Windows Installer? The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.


11.What can be restricted on Windows Server 2003 that wasn’t there in previous products? Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.


12.How frequently is the client policy refreshed? 90 minutes give or take.


13.Where is secedit? It’s now gpupdate.


14.You want to create a new group policy but do not wish to inherit. Make sure you check Block inheritance among the options when creating the policy.


15.What is “tattooing” the Registry? The user can view and modify user preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry.


16.How do you fight tattooing in NT/2000 installations? You can’t.


17.How do you fight tattooing in 2003 installations? User Configuration – Administrative Templates – System – Group Policy – enable – Enforce Show Policies Only.


18.What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.


19.What’s the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.


20.I have a file to which the user has access, but he has no folder permission to read it. Can he access it? It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.



21.For a user in several groups, are Deny permissions restrictive or permissive? Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.


22.What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.


23.What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations? The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.


24.We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.


25.Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition Knowledge Table, which is then replicated to other domain controllers.


26.Can you use Start->Search with DFS shares? Yes.


27.What problems can you have with DFS installed? Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS.


28.I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a standalone one.


29.Is Kerberos encryption symmetric or asymmetric? Symmetric.


30.How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time stamp is attached to the initial client request, encrypted with the shared key.


31.What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.


32.How many passwords by default are remembered when you check “Enforce Password History Remembered”? User’s last 6 passwords.



33.What is Active Directory?  Active Directory consists of a series of components that constitute both its logical structure and its physical structure. It provides a way for organizations to centrally manage, optimize network  and securely store their user objects, computer objects, group membership, and define security boundaries in a logical database structure. Physical Structure is Domain Controller, Active Directory Sites & Active Directory partitions.  Logical Structure is Objects, Organizational Units, Domains, Domain Tree & Forests.


34.What is LDAP? The Lightweight Directory Access Protocol, better known as LDAP, is based on the X.500 standard, developed by IETF Using LDAP, data will be retrieved from or stored in the correct location within our directory. It enables us to query and update the directory database, works out of port number 389.LDAP servers can be set to replicate some or all of their data, on a push or a pull basis, using simple authentication or certificate-based authentication.


35.Name of the ADS Database file?



36.What is the use of SYSVOL folder ?  Policies and scripts saved in SYSVOL folder will be replicated to all domain controllers in the domain. FRS (File replication service) is responsible for replicating all policies and scripts.


37.Name the NC’s  or partitions                                                                                                                                  Schema NC This NC is replicated to every other domain controller in the forest. It contains information about the Active Directory schema, which in turn defines the different object classes and attributes within Active Directory.

   Configuration NC Also replicated to every other DC in the forest, this NC contains forest-wide configuration information pertaining to the physical layout of Active Directory forest-wide Active Directory quotas.

   Domain NC This NC is replicated to every other DC within a single Active Directory domain. This is the NC that contains the most commonly-accessed Active Directory data: the actual users, groups, computers, and other objects that reside within a particular Active Directory domain.


38. What is an application partition ?

An application directory partition is a directory partition that is replicated only to A domain controller that hosts a replica of that particular application directory partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition. Application directory partitions are usually created for testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool.


38.How do you view replication properties for AD partitions and DCs?

   Repadmin & Replmon


39.Can we connect Active Directory to other 3rd-party Directory Services?                                                                                        Yes we can in Microsoft version, it can be done using the LDAP.



40.What is the Global Catalog?                                                                                                                                   Global Catalog is a repository of information that contains a subset of the attributes of all objects in Active Directory.The attributes that are most frequently used in queries, such as a user.s first name, last name, and logon name.The global catalog feature in Active Directory makes searching for resources across domains and forests transparent to the user. For example, if you search for all of the printers in a forest, a global catalog server processes the query in the global catalog and then returns the results. Without a global catalog server, this query would require a search of every domain in the forest. We can call it a database, it helps users to logon to the domain. We have a GC automatically created on the initial DC, port # 3268, 3269 ssl. If GC fails only the member of domain admin group can logon.


41.How do you view all the GCs in the forest?

   dsquery server -forest –isgc.


42.How to check the Schema ?                                                                                                                                     Register schmmgmt.dll using this command c:\windows\system32>regsvr32 schmmgmt.dll                                                                            Open mmc –> add snapin –> add Active directory schema.


43.Site ?

A Windows Server 2003 site is a group of domain controllers that exist on one or more IP subnets and are connected by a fast, reliable network connection.  Fast means connections of at least 1Mbps. a site usually follows the boundaries of a local area network (LAN). If different LANs on the network are connected by a wide area network (WAN), you’ll likely create one site for each LAN. Sites are primarily used to control replication traffic. Domain controllers within a site are pretty much free to replicate changes to the Active Directory database whenever changes are made.Domain controllers in different sites compress the replication traffic and operate based on a defined schedule, both of  which are intended to cut down on network traffic.Sites work towards reducing Workstation logon traffic and Replication traffic.


44. What is the difference between a site link’s schedule and interval?

Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the give interval. Interval is the re occurrence of the inter site replication in given minutes. It ranges from 15 – 10,080 mins. The default interval is 180 mins.


45. Replication ?

Windows Server 2003 uses a replication model called multimaster replication, in which all replicas of the Active Directory database are considered equal masters. You can make changes to the database on any domain controller and the changes will be replicated to other domain controllers in the domain.

Domain controllers in the same site replicate on the basis of notification. When changes are made on a domain controller, it notifies its replication partners (the other domain controllers in the site); the partners then request the changes and replication occurs. Because of the high-speed, low-cost connections assumed within a site, replication occurs as needed rather than according to a schedule.


Single site (called intrasite replication)

Replication between sites (called intersite replication).


Intrasite Replication Intrasite replication sends replication traffic in an uncompressed format. This is because of the assumption that all domain controllers within the site are connected by high-bandwidth links. Not only is the traffic uncompressed, but replication occurs according to a change notification mechanism. This means that if changes are made in the domain, those changes are quickly replicated to the other domain controllers.


Intersite Replication Intersite replication sends all data compressed. This shows an appreciation for the fact that the traffic will probably be going across slower WAN links (as opposed to the LAN connectivity intrasite replication assumes), but it increases the server load because compression/decompression is added to the processing requirements. In addition to the compression, the replication can be scheduled for times that are more appropriate to your organization. For example, you may decide to allow replication only during slower times of the day. Of course, this delay in replication (based on the schedule) can cause inconsistency between servers in different sites.


46. KCC ?

The Knowledge Consistency Checker is a built-in process that runs on all domain controllers and generates replication topology for the Active Directory forest. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable. Within a site, the connections between domain controllers are always arranged in a bidirectional ring, with additional shortcut connections to reduce latency in large sites. On the other hand, the intersite topology is a layering of spanning trees, which means one intersite connection exists between any two sites for each directory partition and generally does not contain shortcut connections.


47. Bridge head?

A Bridge head server is a domain controller that is used for intersite replication. This is the point of contact for a domain controller in another site. This passed replication traffic to a domain controller on another site. replication data is compressed and sent over IP or SMTP.

To designate a preferred bridgehead server
Open Active Directory Sites and Services — In the console tree, right-click the domain controller that you want to make a preferred bridgehead server, and then click Properties — On the General tab, click the intersite transport or transports for which this computer will be a preferred bridgehead server, and then click Add.


48. FSMO in detail


Forest-wide Roles



●Schema master

Controls all updates to the schema. The schema contains the master list of object classes and attributes that are used to create all Active Directory objects, such as users, computers, and printers.

●Domain naming master

Controls the addition or removal of domains in the forest. When you add a new domain to the forest, only the domain controller that holds the domain naming master role can add the new domain.

There is only one schema master and one domain naming master in the entire forest.

Domain-wide Roles


Domain-wide roles are unique to each domain in a forest, the domain-wide roles are:

●Primary domain controller emulator (PDC)

Acts as a Windows NT PDC to support any backup domain controllers (BDCs) running Microsoft Windows® NT within a mixed-mode domain. This type of domain has domain controllers that run Windows NT 4.0. The PDC emulator is the first domain controller that you create in a new domain.

●Relative identifier master (RID)

When a new object is created, the domain controller creates a new security principal that represents the object and assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is the same for all security principals created in the domain, and a RID, which is unique for each security principal created in the domain. The RID master allocates blocks of RIDs to each domain controller in the domain. The domain controller then assigns a RID to objects that are created from its allocated block of RIDs.

●Infrastructure master

when objects are moved from one domain to another, the infrastructure master updates object references in its domain that point to the object in the other domain. The object reference contains the object’s globally unique identifier (GUID), distinguished name, and a SID. Active Directory periodically updates the distinguished name and the SID on the object reference to reflect changes made to the actual object, such as moves within and between domains and the deletion of the object.


Configuring the FSMO


Through MMC 

We can configure Domain Naming Master role through Active directory domains and trusts

We can configure Schema Master Role through Active Directory schema

Other Three roles we can configure by Active directory users and computers

Through command promt

By using command NTDSUTIL—type ROLES—type CONNECTIONS—CONNECT TO SERVER SERVERNAME where server name is the name of the domain controller that you want to assign role—- Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator. 




When Infrastructure master and Global catalog will be on One DC, what is the issue if both resides on same system?


Unless there is only one DC in a domain the Infrastructure role should not be on the DC that is hosting the global catalog. If they are on the same server the infrastructure master will not function, it will never find data that is out of date and so will never replicate changes to other DCs in a domain.

If all DCs in a domain also host a global catalog then it does not matter which DC has the infrastrucure master role as all DCs will be up to date due to the global catalog.




FSMO Role Failure

Some of the operations master roles are essential for AD functionality, others can be unavailable for a while before thier absence will be noticed. Normally it is not the failure of the role, but rather the failure of the DC on which the role is running.

If a DC fails which is a role holder you can seize the role on another DC, but you should always try and transfer the role first.

Before seizing a role you need to asses the duration of the outage of the DC which is holding the role. If it is likely to be a short outage due to a temportary power or network issue then you would probably want to wait rather than seize the role.


Schema Master Failure

In most cases the loss of the schema master will not affect network users and only affect Admins if modifications to the schema are required. You should however only seize this role when the failure of the existing holder is considered permanent.

Note: A DC whose schema master role has been seized should never be brought back online


Domain Naming Master Failure

Temporary loss of this role holder will not be noticable to network users. Domain Admins will only notice the loss if they try and add or remove a domain in the forest. You should however only seize this role when the failure of the existing holder is considered permanent.

Note: A DC whose schema master role has been seized should never be brought back online


RID Master Failure

Temporary loss of this role holder will not be noticable to network users. Domain Admins will only notice the loss if a domain they are creating objects in runs out of relative IDS (RIDs). You should however only seize this role when the failure of the existing holder is considered permanent.

Note: A DC whose schema master role has been seized should never be brought back online


PDC Emulator Master Failure

Network users will notice the loss of the PDC emulator. If the DC with this role fails you may need to immediatly seize this role. Only pre Windows 2000 clients and NT4 BDCs will be affected.

If you seize the role and return the origional DC to the network you can transfer the role back.


Infrastructure Master Failure

Temporary loss of this role holder will not be noticable to network users. Administrators will not notice the role loss unless they are or have recently moved or renamed large numbers of accounts.

If you are required to seize the role do not seize it to a DC which is a global catalog server unless all DCs are global catalog servers.

If you seize the role and return the origional DC to the network you can transfer the role back










Import and export Active Directory data using comma-separated format.


Add users, groups, computers, contacts, and organizational units to Active Directory.


Modify an existing object of a specific type in the directory. The types of objects that can be modified are: users, groups, computers, servers, contacts, and organizational units.


Remove objects of the specified type from Active Directory.


Rename an object without moving it in the directory tree, or move an object from its current location in the directory to a new location within a single domain controller. (For cross-domain moves, use the Movetree command-line tool.)


Query and find a list of objects in the directory using specified search criteria. Use in a generic mode to query for any type of object or in a specialized mode to query for for selected object types. The specific types of objects that can be queried through this command are: computers, contacts, subnets, groups, organizational units, sites, servers and users.


Display selected attributes of specific object types in Active Directory. Attributes of the following object types can be viewed: computers, contacts, subnets, groups, organizational units, servers, sites, and users.


Ceate, modify, and delete directory objects. This tool can also be used to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services.


General purpose Active Directory management tool. Use Ntdsutil to perform database maintenance of Active Directory, to manage single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled.




49) How do you configure a “stand-by operation master” for any of the roles?

Open Active Directory Sites and Services.

Expand the site name in which the standby operations master is located to display the Servers folder.

Expand the Servers folder to see a list of the servers in that site.

Expand the name of the server that you want to be the standby operations master to display its NTDS Settings.

Right-click NTDS Settings, click New, and then click Connection.

In the Find Domain Controllers dialog box, select the name of the current role holder, and then click OK.

In the New Object-Connection dialog box, enter an appropriate name for the Connection object or accept the default name, and click OK.


50) I want to look at the RID allocation table for a DC. What do I do?

dcdiag /test:ridmanager /s:system1 /v (system1 is the name of our DC)





Difference between PDC & BDC

PDC contains a write copy of SAM database where as BDC contains read only copy of SAM database. It is not possible to reset a password with out PDC in Windows NT.



Difference between DC & ADC

There is no difference between in DC and ADC both contains write copy of AD. Both can also handles FSMO roles (If transfers from DC to ADC). It is just for identification. Functionality wise there is no difference.



53. what is the role responsible for time synchronization

PDC Emulator is responsible for time synchronization. Time synchronization is important because Kerberos authentication depends on time stamp information



54. What is the difference between authoritative and non-authoritative restore

In authoritative restore, Objects that are restored will be replicated to all domain controllers in the domain. This can be used specifically when the entire OU is disturbed in all domain controllers or specifically restore a single object, which is disturbed in all DC’s

In non-authoritative restore, Restored directory information will be updated by other domain controllers based on the latest modification time.


55. what is Active Directory De-fragmentation

De-fragmentation of AD means separating used space and empty space created by deleted objects and reduces directory size (only in offline De-fragmentation)


56. Difference between online and offline de-fragmentation

Online De-fragmentation will be performed by garbage collection process, which runs for every 12 hours by default which separate used space and white space (white space is the space created because of object deletion in AD eg User) and improves the efficiency of AD when the domain controller up and running


Offline defragmentation can be done manually by taking domain controller into Restoration mode. We can only reduce the file size of directory database where as the efficiency will be same as in online defragmentation


57. What is tombstone period

Tombstones are nothing but objects marked for deletion. After deleting an object in AD the objects will not be deleted permanently. It will be remain 60 days by default (which can be configurable) it adds an entry as marked for deletion on the object and replicates to all DC’s. After 60 days object will be deleted permanently from all Dc’s.


58. What is folder redirection?


Folder Redirection is a User group policy. Once you create the group policy and link it to the appropriate folder object, an administrator can designate which folders to redirect and where To do this, the administrator needs to navigate to the following location in the Group Policy Object: 

User Configuration\Windows Settings\Folder Redirection 

In the Properties of the folder, you can choose Basic or Advanced folder redirection and you can designate the server file system path to which the folder should be redirected.  The %USERNAME% variable may be used as part of the redirection path, thus allowing the system to dynamically create a newly redirected folder for each user to whom the policy object applies.



59. What is universal group membership cache in windows 2003?


Information is stored locally once this option is enabled and a user attempts to log on for the first time. The domain controller obtains the universal group membership for that user from a global catalog. Once the universal group membership information is obtained, it is cached on the domain controller for that site indefinitely and is periodically refreshed. The next time that user attempts to log on, the authenticating domain controller running Windows Server 2003

will obtain the universal group membership information from its local cache without the need to contact a global catalog.

By default, the universal group membership information contained in the cache of each domain controller will be refreshed every 8 hours.


60. GPMC & RSOP in windows 2003?

GPMC is tool which will be used for managing group policies and will display information like how many policies applied, on which OU’s the policies applied, What are the settings enabled in each policy, Who are the users effecting by these polices, who is managing these policies. GPMC will display all the above  information.



Administrators use the RSoP snap-in to see how multiple Group Policy objects affect various combinations of users and computers, or to predict the effect of Group Policy settings on the network.We have 2 modes Logging Mode Reports the effect of policy on a computer or user. Planning mode which Predicts the affect of policy on the network (GP modeling)


61. Assign & Publish the applications in GP & how?

Through Group policy you can Assign and publish the applications by creating .msi package for that application

With Assign option you can apply policy for both user and computer. If it is applied to computer then the policy will apply to user who logs on to that computer. If it is applied on user it will apply where ever he logs on to the domain. It will be appear in Start menu—Programs. Once user click the shortcut or open any document having that extension then the application install into the local machine. If any application program files missing it will automatically repair.

With Publish option you can apply only on users. It will not install automatically when any application program files are corrupted or deleted.


62. Domain functional levels or 4 modes ?

Windows Server 2003.  All Server 2003, no other domain controllers.  However, even in this level, the whole range of clients and member servers can still join the domain.

Windows Server 2003 Interim – NT4.0 servers and Window Server 2003 (no Windows 2000).  This level arises when you upgrade an NT 4.0 PDC to Server 2003. 

Interim mode is important where you have NT 4.0 groups with more than 5000 members.  Windows 2000 does no allow you to create groups with more than 5000 users.

Windows 2000 Native. (Yes Windows 2000 native) allows Windows 2000 and 2003 servers (no NT 4.0).

Windows 2000 Mixed. (Yes Windows 2000 mixed) allows NT 4.0 BDCs and Window 2000.  Naturally Windows 2000 mixed is the default function level because it supports all types of domain controllers.



Active Directory Trust Relationships


Parent/Child trust: A parent/child trust relationship exists between two domains in Active Directory that have a common contiguous DNS namespace, and who belong to the identical forest. This trust relationship is established when a child domain is created in a domain tree.

Tree Root trust: A tree root trust relationship can be configured between root domains in the same forest. The root domains do not have a common DNS namespace. This trust relationship is established when a new tree root domain is added to a forest.

Shortcut trust: This trust relationship can be configured between two domains in different domain trees but within the same forest. Shortcut trust is typically utilized to improve user logon times.

External trust: External trust relationships are created between an Active Directory domain and a Windows NT4 domain.

Realm trust: A realm trust relationship exists between an Active Directory domain and a non-Windows Kerberos realm.

Forest trust: Forest trust can be created between two Active Directory forests.



64) Domains. The core functional units in the Active Directory logical structure, domains are a collection of administratively defined objects that share a common directory database, security policies, and trust relationships with other domains. Domains provide the following three functions:

•  An administrative boundary for objects

•  A means of managing security for shared resources

•  A unit of replication for objects



65) Tree- Multiple domains are organized into a hierarchical structure called a tree, All domains in a tree share a common schema and a contiguous namespace

organizations that use multiple DNS namespaces, your model must be able to expand outside the boundaries of a single tree. This is where the forest comes in.


66) A Forest is a group of one or more domain trees that do not form a contiguous namespace but may share a common schema and global catalog. There is always at least one forest on a network, and it is created when the first Active Directory–enabled computer (domain controller) on a network is installed.


67) Organizational Units (OUs) provide a way to create administrative boundaries within a domain. Primarily, this allows you to delegate administrative tasks within the domain.OUs serve as containers into which the resources of a domain can be placed. You can then assign administrative permissions on the OU itself. Typically, the structure of OUs follows an organization’s business or functional structure.


68) What are the types of naming convention active directory uses?


The relative distinguished name (RDN) of an object identifies an object uniquely, but only within its parent container.





Distinguished Names

Each object in the directory has a distinguished name (DN) that is globally unique and identifies not only the object itself, but also where the object resides in the overall object hierarchy.



User Principal Names

The user principal name that is generated for each object is in the form username@ domain_name. Users can log on with their user principal name, and an administrator can define suffixes for user principal names if desired


Canonical Names

An object’s canonical name is used in much the same way as the distinguished name— it just uses a different syntax. The same distinguished name presented in the preceding section would have the canonical name:




. What if a FSMO server fails?    

Schema Master

No updates to the Active Directory schema will be possible. Since schema updates are rare (usually done by certain applications and possibly an Administrator adding an attribute to an object), then the malfunction of the server holding the Schema Master role will not pose a critical problem.

Domain Naming Master

The Domain Naming Master must be available when adding or removing a domain from the forest (i.e. running DCPROMO). If it is not, then the domain cannot be added or removed.  It is also needed when promoting or demoting a server to/from a Domain Controller.  Like the Schema Master, this functionality is only used on occasion and is not critical unless you are modifying your domain or forest structure.

PDC Emulator

The server holding the PDC emulator role will cause the most problems if it is unavailable.  This would be most noticeable in a mixed mode domain where you are still running NT 4 BDCs and if you are using downlevel clients (NT and Win9x). Since the PDC emulator acts as a NT 4 PDC, then any actions that depend on the PDC would be affected (User Manager for Domains, Server Manager, changing passwords, browsing and BDC replication).
In a native mode domain the failure of the PDC emulator isn’t as critical because other domain controllers can assume most of the responsibilities of the PDC emulator.

RID Master

The RID Master provides RIDs for security principles (users, groups, computer accounts). The failure of this FSMO server would have little impact unless you are adding a very large number of users or groups.
Each DC in the domain has a pool of RIDs already, and a problem would occur only if the DC you adding the users/groups on ran out of RIDs.

Infrastructure Master

This FSMO server is only relevant in a multi-domain environment. If you only have one domain, then the Infrastructure Master is irrelevant.  Failure of this server in a multi-domain environment would be a problem if you are trying to add objects from one domain to another.




What permissions you should have in order to transfer a FSMO role?

Before you can transfer a role, you must have the appropriate permissions depending on which role you plan to transfer:

Schema Master

member of the Schema Admins group

Domain Naming Master

member of the Enterprise Admins group

PDC Emulator

member of the Domain Admins group and/or the Enterprise Admins group

RID Master

member of the Domain Admins group and/or the Enterprise Admins group

Infrastructure Master

member of the Domain Admins group and/or the Enterprise Admins group



71) Which two operations master roles should be available when new security principals are being created and named?


Domain naming master and the relative ID master


72) What are different types of groups?


Security groups Security groups are used to group domain users into a single administrative unit. Security groups can be assigned permissions and can also be used as e-mail distribution lists. Users placed into a group inherit the permissions assigned to the group for as long as they remain members of that group. Windows itself uses only security groups.


Distribution groups These are used for nonsecurity purposes by applications other than Windows. One of the primary uses is within an e-mail



73) What is a group scope and what are the different types of group scopes?


Group scopes determine where in the Active Directory forest a group is accessible and what objects can be placed into the group. Windows Server 2003 includes three group scopes: global, domain local, and universal.


■ Global groups are used to gather users that have similar permissions requirements. Global groups have the following characteristics:


1. Global groups can contain user and computer accounts only from the domain in which the global group is created.

2. When the domain functional level is set to Windows 2000 native or Windows Server 2003 (i.e., the domain contains only Windows 2000 or 2003 servers), global groups can also contain other global groups from the local domain.

3. Global groups can be assigned permissions or be added to local groups in any domain in a forest.


■ Domain local groups exist on domain controllers and are used to control access to resources located on domain controllers in the local domain (for member servers and workstations, you use local groups on those systems instead). Domain local groups share the following characteristics:


1. Domain local groups can contain users and global groups from any domain in a forest no matter what functional level is enabled.

2. When the domain functional level is set to Windows 2000 native or Windows Server 2003, domain local groups can also contain other domain local groups and universal groups.


■ Universal groups are normally used to assign permissions to related resources in multiple domains. Universal groups share the following characteristics:


1. Universal groups are available only when the forest functional level is set to Windows 2000 native or Windows Server 2003.

2. Universal groups exist outside the boundaries of any particular domain and are managed by Global Catalog servers.

3. Universal groups are used to assign permissions to related resources in multiple domains.

4. Universal groups can contain users, global groups, and other universal groups from any domain in a forest.

5. You can grant permissions for a universal group to any resource in any domain.



74) How many characters does a group name contain?




75) What is DFS?


The Distributed File System is used to build a hierarchical view of multiple file servers and shares on the network. Instead of having to think of a specific machine name for each set of files, the user will only have to remember one name; which will be the ‘key’ to a list of shares found on multiple servers on the network. Think of it as the home of all file shares with links that point to one or more servers that actually host those shares.


DFS has the capability of routing a client to the closest available file server by using Active Directory site metrics. It can also be installed on a cluster for even better performance and reliability.

Understanding the DFS Terminology

It is important to understand the new concepts that are part of DFS. Below is an definition of each of them.


Dfs root: You can think of this as a share that is visible on the network, and in this share you can have additional files and folders.


Dfs link: A link is another share somewhere on the network that goes under the root. When a user opens this link they will be redirected to a shared folder.


Dfs target (or replica): This can be referred to as either a root or a link. If you have two identical shares, normally stored on different servers, you can group them together as Dfs Targets under the same link.



76)What are the types of replication in DFS?

There are two types of replication:

* Automatic – which is only available for Domain DFS

* Manual – which is available for stand alone, DFS and requires all files to be replicated manually.


77) Which service is responsible for replicating files in SYSVOL folder?


File Replication Service (FRS)



78) What are Group Policies?


Group Policies are settings that can be applied to Windows computers, users or both.  In Windows 2000 there are hundreds of Group Policy settings. Group Policies are usually used to lock down some aspect of a PC.  Whether you don’t want users to run Windows Update or change their Display Settings, or you want to insure certain applications are installed on computers – all this can be done with Group Policies.


Group Policies can be configured either Locally or by Domain Polices. Local policies can be accessed by clicking Start, Run and typing gpedit.msc.  They can also be accessed by opening the Microsoft Management Console (Start, Run type mmc), and adding the Group Policy snap-in.  You must be an Administrator to configure/modify Group Policies.  Windows 2000 Group Policies can only be used on Windows 2000 computers or Windows XP computers.  They cannot be used on Win9x or WinNT computers.


79) Domain policy gets applied to whom ?


Domain Policies are applied to computers and users who are members of a Domain, and these policies are configured on Domain Controllers.  You can access Domain Group Polices by opening Active Directory Sites and Services (these policies apply to the Site level only) or Active Directory Users and Computers (these policies apply to the Domain and/or Organizational Units.



80) How to disable Group Policy Objects


When you are creating a Group Policy Object, the changes happen immediately.  There is no “saving” of GPOs.  To prevent a partial GPO from being applied, disable the GPO while you are configuring it. To do this, click the Group Policy Object on the Group Policy tab and under the Disable column, double click – a little check will appear.  Click the Edit button, make your changes, then double click under the Disable column to re-enable the GPO.  Also, if you want to temporarily disable a GPO for troubleshooting reasons, this is the place to do it.  You can also click the Options button on the Group Policy tab and select the Disabled check box.



81) When does the group policy Scripts run?


Startup scripts are processed at computer bootup and before the user logs in.

Shutdown scripts are processed after a user logs off, but before the computer shuts down.


Login scripts are processed when the user logs in.

Logoff scripts are processed when the user logs off, but before the shutdown script runs.


82) When the group policy gets refreshed/applied?


Group Policies can be applied when a computer boots up, and/or when a user logs in. However, policies are also refreshed automatically according to a predefined schedule. This is called Background Refresh.

Background refresh for non DCs (PCs and Member Servers) is every 90 mins., with a +/- 30 min.

interval.  So the refresh could be 60, 90 or 120 mins. For DCs (Domain Controllers), background refresh is every 5 mins.

Also, every 16 hours every PC will request all group policies to be reapplied (user and machine) These settings can be changed under Computer and User Nodes, Administrative Templates,System, Group Policy.



83) How to refresh GP from command line.


gpupdate /target:user  to refresh the user policies

gpupdate /target:machine  to refresh the machine (or computer) policies


gpupdate /force



84) Which are the two types of default policies?

There are two default group policy objects that are created when a domain is created.  The Default Domain policy and the Default Domain Controllers policy.


Default Domain Policy – this GPO can be found under the group policy tab for that domain.  It is the first policy listed.  The default domain policy is unique in that certain policies can only be applied at the domain level.


If you double click this GPO and drill down to Computer Configuration, Windows Settings, Security Settings, Account Policies, you will see three policies listed:


Password Policy

Account Lockout Policy

Kerberos Policy


Default Domain Controllers Policy – This policy can be found by right clicking the Domain Controllers OU, choosing Properties, then the Group Policy tab.  This policy affects all Domain Controllers in the domain regardless of where you put the domain controllers.  That is, no matter where you put your domain controllers in Active Directory (whatever OU you put them in), they will still process this policy.



 What are the two exceptions to control the inheritance of the group policy?


■ No Override When you link a GPO to a container, you can configure a No Override option that prevents settings in the GPO from being overridden by settings in GPOs linked to child containers. This provides a way to force child containers to conform to a particular policy.


■ Block Inheritance You can configure the Block Inheritance option on a container to prevent the container from inheriting GPO settings from its parent containers. However, if a parent container has the No Override option set, the child container cannot block inheritance from this parent.


































Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s