Active Directory: FMSO Roles

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 9

KCC

The KCC is a built-in process that runs on all domain controllers and generates replication
topology for the Active Directory forest. The KCC creates separate replication topologies
depending on whether replication is occurring within a site (intrasite) or between sites (intersite).
The KCC also dynamically adjusts the topology to accommodate new domain controllers,
domain controllers moved to and from sites, changing costs and schedules, and domain
controllers that are temporarily unavailable.

How do you view replication properties for AD?


By using Active Directory Replication Monitor.
Start–> Run–> Replmon

What are sites What are they used for?


One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows
administrators to configure Active Directory access and replication topology to take advantage of
the physical network.

Name some OU design considerations?


OU design requires balancing requirements for delegating administrative rights – independent of
Group Policy needs – and the need to scope the application of Group Policy. The following OU
design recommendations address delegation and scope issues:
Applying Group Policy An OU is the lowest-level Active Directory container to which you can
assign Group Policy settings. Delegating administrative authority usually don’t go more than 3
OU levels

http://technet.microsoft.com/en-us/library/cc783140.aspx

What are FMSO Roles? List them.


Fsmo roles are server roles in a Forest
There are five types of FSMO roles
1-Schema master
2-Domain naming master
3-Rid master
4-PDC Emullator
5-Infrastructure master

Logical Diagram of Active Directory ?, What is the difference between child domain &
additional domain Server?
Well, if you know what a domain is then you have half the answer. Say you have the domain
Microsoft.com. Now microsoft has a server named server1 in that domain, which happens to the
be parent domain. So it’s FQDN is server1.microsoft.com. If you add an additional domain
server and name it server2, then it’s FQDN is server2.microsoft.com.
Now Microsoft is big so it has offices in Europe and Asia. So they make child domains for them
and their FQDN would look like this: europe.microsoft.com & asia.microsoft.com. Now lets say
each of them have a server in those child domains named server1. Their FQDN would then look
like this: server1.europe.microsoft.com & server1.asia.microsoft.com..
What are Active Directory Groups?
Groups are containers that contain user and computer objects within them as members. When
security permissions are set for a group in the Access Control List on a resource, all members of
that group receive those permissions. Domain Groups enable centralized administration in a
domain. All domain groups are created on a domain controller.
In a domain, Active Directory provides support for different types of groups and group scopes.
The group type determines the type of task that you manage with the group. The group scope
determines whether the group can have members from multiple domains or a single domain.

Group Types
* Security groups: Use Security groups for granting permissions to gain access to resources.
Sending an e-mail message to a group sends the message to all members of the group. Therefore
security groups share the capabilities of distribution groups.
* Distribution groups: Distribution groups are used for sending e-main messages to groups of
users. You cannot grant permissions to security groups. Even though security groups have all the
capabilities of distribution groups, distribution groups still requires, because some applications
can only read distribution groups.

Group Scopes
Group scope normally describe which type of users should be clubbed together in a way which is
easy for there administration. Therefore, in domain, groups play an important part. One group
can be a member of other group(s) which is normally known as Group nesting. One or more
groups can be member of any group in the entire domain(s) within a forest.
* Domain Local Group: Use this scope to grant permissions to domain resources that are
located in the same domain in which you created the domain local group. Domain local groups
can exist in all mixed, native and interim functional level of domains and forests. Domain local
group memberships are not limited as you can add members as user accounts, universal and
global groups from any domain. Just to remember, nesting cannot be done in domain local group.
A domain local group will not be a member of another Domain Local or any other groups in the
same domain.
* Global Group: Users with similar function can be grouped under global scope and can be
given permission to access a resource (like a printer or shared folder and files) available in local
or another domain in same forest. To say in simple words, Global groups can be use to grant
permissions to gain access to resources which are located in any domain but in a single forest as
their memberships are limited. User accounts and global groups can be added only from the
domain in which global group is created. Nesting is possible in Global groups within other
groups as you can add a global group into another global group from any domain. Finally to
provide permission to domain specific resources (like printers and published folder), they can be
members of a Domain Local group. Global groups exist in all mixed, native and interim
functional level of domains and forests.
* Universal Group Scope: these groups are precisely used for email distribution and can be
granted access to resources in all trusted domain as these groups can only be used as a security
principal (security group type) in a windows 2000 native or windows server 2003 domain
functional level domain. Universal group memberships are not limited like global groups. All
domain user accounts and groups can be a member of universal group. Universal groups can be
nested under a global or Domain Local group in any domain.
What are the types of backup? Explain each?
Incremental
A “normal” incremental backup will only back up files that have been changed since the last
backup of any type. This provides the quickest means of backup, since it only makes copies of
files that have not yet been backed up. For instance, following our full backup on Friday,
Monday’s tape will contain only those files changed since Friday. Tuesday’s tape contains only
those files changed since Monday, and so on. The downside to this is obviously that in order to
perform a full restore, you need to restore the last full backup first, followed by each of the
subsequent incremental backups to the present day in the correct order. Should any one of these
backup copies be damaged (particularly the full backup), the restore will be incomplete.

Differential
A cumulative backup of all changes made after the last full backup. The advantage to this is the
quicker recovery time, requiring only a full backup and the latest differential backup to restore
the system. The disadvantage is that for each day elapsed since the last full backup, more data
needs to be backed up, especially if a majority of the data has been changed.

What is the SYSVOL folder?


The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and reparse
points in the file systems that exist on each domain controller in a domain. SYSVOL provides a
standard location to store important elements of Group Policy objects (GPOs) and scripts so that
the File Replication service (FRS) can distribute them to other domain controllers within that
domain.
You can go to SYSVOL folder by typing : %systemroot%/sysvol

What is the ISTG Who has that role by default?


The first server in the site becomes the ISTG for the site, The domain controller holding this role
may not necessarily also be a bridgehead server.

What is the order in which GPOs are applied?


Local, Site, Domain, OU

 About Me
 IT Admin Group
 Photo Gallery

system administrator interview question with


answers Part 2
Posted on May 7, 2009. Filed under: Interview Question | Tags: Interview Question |

Welcome to system administrator interview question with answers Part 2; if you have read part 1
of these article then please go on or else also please read system administrator interview
question with answers Part 1
1. Can a workstation computer be configured to browse the Internet and yet NOT have a default
gateway?

If we are using public ip address, we can browse the internet. If it is having an intranet address a
gateway is needed as a router or firewall to communicate with internet.

2. What is CIDR?

CIDR (Classless Inter-Domain Routing, sometimes known as supernetting) is a way to allocate


and specify the Internet addresses used in inter-domain routing more flexibly than with the
original system of Internet Protocol (IP) address classes. As a result, the number of available
Internet addresses has been greatly increased. CIDR is now the routing system used by virtually
all gateway hosts on the Internet’s backbone network. The Internet’s regulating authorities now
expect every Internet service provider (ISP) to use it for routing.

3. What is DHCP? What are the benefits and drawbacks of using it?

DHCP is Dynamic Host Configuration Protocol. In a networked environment it is a method to


assign an ‘address’ to a computer when it boots up.

Advantages

All the IP configuration information gets automatically configured for your client machine by the
DHCP server.

If you move your client machine to a different subnet, the client will send out its discover
message at boot time and work as usual. However, when you first boot up there you will not be
able to get back the IP address you had at your previous location regardless of how little time has
passed.

Disadvantage

Your machine name does not change when you get a new IP address. The DNS (Domain Name
System) name is associated with your IP address and therefore does change. This only presents a
problem if other clients try to access your machine by its DNS name.

4. How do you manually create SRV records in DNS?

To create SRV records in DNS do below steps: -

Open DNS

Click on Zone —– Select domain abc.local ——-

Right Click to domain and go to Other New Records——


And choose service location (SRV)

5. Name 3 benefits of using AD-integrated zones.

Benefits as follows

a. you can give easy name resolution to ur clients.

b. By creating AD- integrated zone you can also trace hacker and spammer by creating reverse
zone.

c. AD integrated zoned all for incremental zone transfers which on transfer changes and not the
entire zone. This reduces zone transfer traffic.

d. AD Integrated zones suport both secure and dmanic updates.

e. AD integrated zones are stored as part of the active directory and support domain-wide or
forest-wide replication through application pertitions in AD.

6. How do I clear the DNS cache on the DNS server?

Go to cmd prompt and type “ipconfig/flushdns” without quotes

7. What is NAT?

NAT (Network Address Translation) is a technique for preserving scarce Internet IP addresses.
For more details go to Microsoft link

8. How do you configure NAT on Windows 2003?

For above answer go to below link

Configure NAT

9. How to configure special ports to allow inbound connections?

a. Click Start, Administrative Tools, and then click Routing and Remote Access to open the
Routing and Remote Access management console.

b. Locate the interface that you want to configure.

c. Right-click the interface and then select Properties from the shortcut menu.

d. Click the Special Ports tab.

e. Under Protocol, select TCP or UDP and then click the Add button.
f. Enter the port number of the incoming traffic in Incoming Port.

g. Select On This Address Pool Entry, and provide the public IP address of the incoming traffic.

h. Enter the port number of the private network resource in Outgoing Port.

i. Enter the private network resource’s private IP address in Private Address.

j. Click OK.

hat is DHCP’s purpose?

DHCP’s purpose is to enable individual computers on an IP network to extract their


configurations from a server (the ‘DHCP server’) or servers, in particular, servers that have no
exact information about the individual computers until they request the information. The overall
purpose of this is to reduce the work necessary to administer a large IP network. The most
significant piece of information distributed in this manner is the IP address.

What protocol and port does DHCP use?

DHCP, like BOOTP runs over UDP, utilizing ports 67 and 68.

What is Global Catalog? The Global Catalog authenticates network user logons and fields
inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on
a domain controller. In Windows 2000, there was typically one GC on every site in order to
prevent user logon failures across the network.

What is Stub Zone in DNS Server?

A stub zone is a copy of a zone that contains only those resource records necessary to identify
the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to
resolve names between separate DNS namespaces. This type of resolution may be necessary
when a corporate merger requires that the DNS servers for two separate DNS namespaces
resolve names for clients in both namespaces.

A stub zone consists of:

 The start of authority (SOA) resource record, name server (NS) resource records, and the
glue A resource records for the delegated zone.
 The IP address of one or more master servers that can be used to update the stub zone.

The master servers for a stub zone are one or more DNS servers authoritative for the child zone,
usually the DNS server hosting the primary zone for the delegated domain name.

Where is the file of Active Directory data file stored?


Active Directory data store in %SystemRoot%\ntds\NTDS.DIT. The ntds.dit file is the heart of
Active Directory including user accounts

What are the types of records in DNS?

To see the records of DNS Server checks this path - DNS Records

What is DHCP and at which port DHCP work?

Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to
automatically assign an IP address to a computer from a defined range of numbers (i.e., a scope)
configured for a given network. DHCP assigns an IP address when a system is started

DHCP client uses port 67 and the DHCP server uses port 68.

What is DORA process in DHCP and How it works?

DHCP (D)iscover
DHCP (O)ffer
DHCP (R)equest
DHCP (A)cknowledge

1) Client makes a UDP Broadcast to the server about the DHCP discovery.

2) DHCP offers to the client.

3) In response to the offer Client requests the server.

4) Server responds all the Ip Add/mask/gty/dns/wins info along with the acknowledgement
packet.

What is Super Scope in DHCP?

A superscope allows a DHCP server to provide leases from more than one scope to clients on a
single physical network. Before you can create a superscope, you must use DHCP Manager to
define all scopes to be included in the superscope. Scopes added to a superscope are called
member scopes. Superscopes can resolve DHCP service issues in several different ways; these
issues include situations in which:

 Support is needed for DHCP clients on a single physical network segment—such as a


single Ethernet LAN segment—where multiple logical IP networks are used. When more
than one logical IP network is used on a physical network, these configurations are also
known as multinets.
 The available address pool for a currently active scope is nearly depleted and more
computers need to be added to the physical network segment.
 Clients need to be migrated to a new scope.
 Support is needed for DHCP clients on the other side of BOOTP relay agents, where the
network on the other side of the relay agent has multiple logical subnets on one physical
network. For more information, see “Supporting BOOTP Clients” later in this chapter.
 A standard network with one DHCP server on a single physical subnet is limited to
leasing addresses to clients on the physical subnet.

What is Stub zone DNS?

A stub zone is a copy of a zone that contains only those resource records necessary to identify
the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to
resolve names between separate DNS namespaces. This type of resolution may be necessary
when a corporate merger requires that the DNS servers for two separate DNS namespaces
resolve names for clients in both namespaces.

A stub zone consists of:

 The start of authority (SOA) resource record, name server (NS) resource records, and the
glue A resource records for the delegated zone.
 The IP address of one or more master servers that can be used to update the stub zone.

The master servers for a stub zone are one or more DNS servers authoritative for the child zone,
usually the DNS server hosting the primary zone for the delegated domain name

What is Active Directory? Active Directory is a network-based object store and service that
locates and manages resources, and makes these resources available to authorized users and
groups. An underlying principle of the Active Directory is that everything is considered an object
—people, servers, workstations, printers, documents, and devices. Each object has certain
attributes and its own security access control list (ACL).

What’s the difference between forward lookup zone and reverse lookup zone in DNS?

Forward lookup is name-to-IP address; the reverse lookup is IP address-to-name.

How to transfer roles in Active Directory?

Using Ntdsutil.exe we can transfer roles in Active Directory. To know more regarding role
transfer click this link.

How to backup Active Directory and which main file you take in backing of Active
Directory?

We can take backup with Ntbackup utility.

Active Directory is backed up as part of system state, a collection of system components that
depend on each other. You must backup and restore system state components together.
Components that comprise the system state on a domain controller include:

 System Start-up Files (boot files). These are the files required for Windows 2000 Server
to start.
 System registry.
 Class registration database of Component Services. The Component Object Model
(COM) is a binary standard for writing component software in a distributed systems
environment.
 SYSVOL. The system volume provides a default Active Directory location for files that
must be shared for common access throughout a domain. The SYSVOL folder on a
domain controller contains:
o NETLOGON shared folders. These usually host user logon scripts and Group
Policy objects (GPOs) for non-Windows 2000based network clients.
o User logon scripts for Windows 2000 Professionalbased clients and clients that
are running Windows 95, Windows 98, or Windows NT 4.0.
o Windows 2000 GPOs.
o File system junctions.
o File Replication service (FRS) staging directories and files that are required to be
available and synchronized between domain controllers.
 Active Directory. Active Directory includes:
o Ntds.dit: The Active Directory database.
o Edb.chk: The checkpoint file.
o Edb*.log: The transaction logs, each 10 megabytes (MB) in size.
o Res1.log and Res2.log: Reserved transaction logs.

Check my previous articles regarding system administrator questionnaire

You might also like