Monday, March 7, 2022

Top 10 Active Directory Interview Questions And Answers - Part 1 - Tech Aarya Blog

 Top 10 Active Directory Interview Questions And Answers - Part 1 - Tech Aarya Blog




Question 1 What are the (Flexible Single Master Operation) FSMO roles?

Answer: There Total 5 FSMO Roles, 2 On Forest Level And 3 on Domain Lavel

Forest Level Roles are Schema Master and Domain Naming Master

Domain Level Roles are PDC Emulator, RID Master and Infrastructure Master

 

Question 2 What role does a PDC emulator play?

Answer The DC with the Primary Domain Controller Emulator role is the authoritative DC in the domain. The PDC Emulator responds to authentication requests, changes passwords, and manages Group Policy Objects. And the PDC Emulator tells everyone else what time it is! It’s good to be the PDC.

 

Question 3 How do you change the RID Master FSMO?

Answer

Step 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on the domain controller (DC). (From the Start menu, select Programs, Administrative Tools, Active Directory Users and Computers.)

Step 2.In the leftmost pane, right-click the domain, and select Connect to Domain Controller.

Step 3. Select the DC you want to make the Flexible Single-Master Operation (FSMO) role owner, as the Screen shows, and click OK.

Step 4. Right-click the domain again, and select Operations Master from the context menu.

Step 5. Select the RID Pool tab.

Step 6. You’ll see the name of the machine that holds the RID Master FSMO role

Step 7. To make a change, click Change.

Step 8. Click OK in the confirmation dialog box.

Step 9. Finally, you’ll see a dialog box confirming the role change.

 

Question 4: How do you change the PDC Emulator FSMO?

Answer

Step 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on the domain controller (DC). (From the Start menu, select Programs, Administrative Tools, Active Directory Users and Computers.)

Step 2.In the leftmost pane, right-click the domain, and select Connect to Domain Controller.

Step 3. Select the DC you want to make the Flexible Single-Master Operation (FSMO) role owner, as the Screen shows, and click OK.

Step 4. Right-click the domain again, and select Operations Master from the context menu.

Step 5. Select the PDC tab

Step 6. You’ll see the name of the machine that holds the PDC Emulator FSMO role

Step 7. To make a change, click Change.

Step 8. Click OK in the confirmation dialog box.

Step 9. Finally, you’ll see a dialog box confirming the role change.

 

Question 5: What is multi-master replication?

Answer The replication model used in Active Directory Domain Services is called multi-master loose consistency with convergence. In this model, the directory can have many replicas, a replication system propagates changes made at any given replica to all other replicas. The replicas are not guaranteed to be consistent with each other at any particular time ("loose consistency"), because changes can be applied to any replica at any time ("multi-master")

 

Question 6 How do you move a server to a different site?

Answer Step 1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. (From the Start menu, select Programs, Administrative Tools, Active Directory Sites and Services Manager.)

Step 2. Expand the Sites container.

Step 3. Expand the site that currently contains the server, and expand the Servers container.

Step 4. Right-click the server, and select Move from the context menu, as the Screen shows.

Step 5. You’ll see a list of all the sites. Select the new target site, and click OK.

 

Question 7 How can a server belong to more than one site?

Answer By default, a server belongs to only one site. However, you might want to configure a server to belong to multiple sites.

 

Because sites are necessary for replication, for clients to find resources, and to decrease traffic on intersite connections, simply modifying a site’s membership might cause performance problems.

 

To configure a server for multiple site membership, perform the following steps.

 

Step 1 Log on to the server you want to join multiple sites.

Step 2Start regedt32.

Step 3 Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesNetlogon\Parameters registry entry.

Step 4Select Add Value from the Edit menu.

Step 5 Enter the name

SiteCoverage

and the type

REG_MULTI_SZ

Step 6 Click OK.

Step 7 Enter the names of the sites to join, each on a new line. (Press Shift + Enter to move to the next line.)

Step 8 Click OK.

Step 9 Close the registry editor.

 

This process doesn’t create the objects in Active Directory (AD) to evaluate the sites. You must add these objects manually.

 

Question 8 How do you back up Active Directory and the System State?

Answer Active Directory is backed up as part of the System State on a domain controller whenever you perform a backup using Windows Server Backup, Wbadmin.exe, or PowerShell

 

The bare minimum you need to back up to protect essential Active Directory data on a domain controller is the System State. The System State includes the following list plus some additional items depending on the roles that are installed:

 

Domain controller: Active Directory DC database files (NTDS.DIT), boot files & system protected files, COM+ class registration database, registry, system volume (SYSVOL)

Domain member: Boot files, COM+ class registration database, registry

A machine running cluster services: Additionally backs up cluster server metadata

A machine running certificate services: Additionally backs up certificate data

 

Question 9 How do you allow modifications to the schema?

Answer The schema is extensible, which means that you can change it. However, modifying the schema is dangerous because doing so affects the entire domain forest. Microsoft doesn’t recommend schema modification.

 

If you insist on modifying the schema, you can use the GUI or edit the registry. To use the GUI, you must first register the .dll file for the Microsoft Management Console (MMC) snap-in. Go to a command prompt, and enter

 

regsvr32 schmmgmt.dll

 

Use MMC to start the Schema Manager. Next, add the Active Directory Schema snap-in to the Schema Manager. (From the Start menu, select Run, and enter MMC

 

From the Console menu, select Add/Remove Snap-in. Click Add, and select Active Directory Schema. Finally, click Add, Close, OK.)

 

Step 1 Start the MMC Active Directory Schema snap-in on the domain controller (DC).

Step 2In the leftmost pane, right-click Active Directory Schema, and select Operations Master from the context menu.

Step 3 You’ll see the name of the machine that holds the domain name operations Flexible Single-Master Operation (FSMO) role, as the Screen shows.

Step 4 Select the checkbox labeled The Schema may be modified on this server.

Step 5 Click OK in the confirmation dialog box.

 

Another way to modify the schema is to edit the registry.

 

Step 1 Start regedit.

Step 2Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters registry entry.

Step 3 Double-click Schema Update Allowed (of type REG_DWORD).

Step 4 Set the value to 1.

Step 5 Click OK.

Step 6 Close the registry editor.

 

 

Question 10 What are Tombstone objects? Follow up Question – What are “Lingering objects”?

Answer

When you delete an object from the Active Directory (AD) database, it’s marked as a tombstone object instead of being fully removed. By default, each tombstone object remains in the database for 180 days. Once this tombstone’s lifetime value is exceeded, the tombstone object is automatically deleted by the garbage collection process. Administrators can change the default tombstone lifetime value by using the ADSI Edit tool.

A lingering object is a deleted AD object that re-appears (“lingers”) on the restored domain controller (DC) in its local copy of Active Directory. This can happen if, after the backup was made, the object was deleted on another DC more than than 180 days ago.


No comments:

Post a Comment

Windows Administrator Level 1 Interview Question & Answers

 Windows Administrator Level 1 Interview Question & Answers What is an active directory?  An Active Directory (AD) is a directory ...