Wednesday, May 7, 2014

Answers to Microsoft Active Directory Interview Questions - Part 3

Sponsored Links

This is the part of series, 'Active Directory Interview Questions and Answers'. You can find the Questions page and previous parts of answers from the below links. If you directly landing to this page, Please find the link below to go to questions page. Hope this series will help you to prepare and succeed the interview.




Answers Part 1 : 1 to 56
Answers Part 2 :  57 to 63

Answers Part 3 : 64 to 80


64.   Netdomm is used to manage Active Directory domains and trust relationships from the command prompt. Some of the Netdom functions include; Join a computer to domain, Establish one-way or two-way trust relationships between domains, Manage trust relationships between domains, Manages the primary and alternate names for a computer etc.

65.   Role seizure is the action of assigning an operations master role to a new domain controller without the support of the existing role holder (generally because it is offline due to a hardware failure). During role seizure, a new domain controller assumes the operations master role without communicating with the existing role holder. Role seizure can be done using repadmin.exe and Ntdsutil.exe commands.

66.   Inter-Site Topology Generator. One domain controller per site holds the Inter-Site Topology Generator (ISTG) role, which is responsible for managing the inbound replication connection objects for all bridgehead servers in the site in which it is located.

67.   Yes, this is possible using PowerShell command, with the help of LastLogonTimeStamp. Commands and pipes such as Get-ADUser, Where-Object, LastLogonDate etc. can be used to get inactive users.

68.   GPO applies in this order – Local Policy, Site, Domain, and Organizational Units.

69.   CSVDE and LDIFDE are used to Import or Export Active Directory data to a file. CSV (comma-separated value) format files can be read with MS Excel and are simply altered with a batch script. LDIF files (Ldap Data Interchange Format) are a cross-platform standard.

70.   A user object is an object that is a security principal in the directory. A user can log on to the network with these authorizations and access permissions can be granted to users. A contact object is an account that does not have any security permissions. You cannot log on to the network as a contact. Contacts are normally used to indicate outside users for the purpose of e-mail.

71.   A bridgehead server is a domain controller in each site, which is used as a interaction point to obtain and replicate data between sites. For intersite replication, KCC entitles one of the domain controllers as a bridgehead server. In case the server is down, KCC entitles another one from the domain controller. When a bridgehead server obtains replication updates from another site, it replicates the data to the other domain controllers within its site.

72.   Active Directory replication occurs between domain controllers when directory data is updated on one domain controller and that update is replicated to all other domain controllers. When a change in directory data occurs, the source domain controller sends out a notice that its directory store now contains updated data. The domain controller’s replication partners then send a request to the source domain controller to receive those updates. Usually, the source domain controller sends out a change notification after a delay. However, any delay in replication can result in a security risk for definite types of changes. Urgent replication ensures that critical directory changes are immediately replicated, including account lockouts, changes in the account lockout policy, changes in the domain password policy, and changes to the password on a domain controller account.

73.    Realm trust is a transitive or non-transitive one way or two way trust used to form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2003 domain. This trust relationship allows cross-platform interoperability with security services based on other Kerberos V5 versions such as UNIX and MIT implementations.

74.   An Active Directory structure is an arrangement of information about objects. The objects fall into two broad categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are assigned unique security identifiers (SIDs).Each object represents a single entity—whether a user, a computer, a printer, or a group—and its attributes. Certain objects can contain other objects. An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object represents— defined by a schema, which also determines the kinds of objects that can be stored in Active Directory.

75.   Adding custom attribute involves modification in Active Directory schema which requires the modifying user to be a member of Schema Administrators and Enterprise Administrators groups. By default, the Administrator account is a member of the Schema Administrator group.You can use adsiedit.msc or schmmgmt.msc to modify the properties of an AD object.

76.   When a new domain user or group account is created, Active Directory stores the account's SID in the Object-SID (objectSID) property of a User or Group object. It also allocates the new object a globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory. Each object's GUID is stored in its Object-GUID (objectGUID) property.

77.   Dcpromo

78.   Yes. Keeping your Active Directory as simple as possible will help improve overall efficiency, and it will make the troubleshooting process easier whenever problems arise. Use the appropriate site topology. Use dedicated domain controllers. Have at least two DNS servers. Place at least one global catalog server in each site.

79.   There are many changes in Active Directory from 2003 version to 2008 version, like Active Directory is a service now that can be restarted. RODC is a new type of DC introduce in windows 2008. Group policy preference mode is introduced.  New number of AD templates has been introduced in 2008. DFS is being used for replication instead of FRS in 2003.Windows Server 2008 AD includes new features such as Active Directory Recycle Bin, Active Directory Administrative Center, Active Directory Web Services, Offline domain join etc.

80.   In order to configure Windows Server 2008 R2 Domain Controller within Windows 2003 network we need to check if Domain Functional Level is set up at least in Windows 2000 native mode. But preferable Domain Functional Level is Windows Server 2003. When it’s set up in Windows Server 2003 mode, and you have only one domain in a forest or each domains have only Windows 2003 Domain Controllers, you are also able to raise Forest Functional Level to Windows Server 2003 to use Read-Only Domain Controller (RODC) within your network.

For the answers from 81 to 100 Please click the below link:

Answers to Active Directory Interview Questions: Part 4



blog comments powered by Disqus
Related Posts Plugin for WordPress, Blogger...