1) Mention what is Active Directory?
An active directory is a directory structure used on Microsoft Windows based servers and computers to store data and information about networks and domains.
2) Mention what are the new features in Active Directory (AD) of Windows server 2012?
dcpromo (Domain Controller Promoter) with improved wizard: It allows you to view all the steps and review the detailed results during the installation process Enhanced Administrative Center: Compared to the earlier version of active directory, the administrative center is well designed in Windows 2012. The exchange management console is well designed Recycle bin goes GUI: In windows server 12, there are now many ways to enable the active directory recycle bin through the GUI in the Active Directory Administrative Center, which was not possible with the earlier version Fine grained password policies (FGPP): In windows server 12 implementing FGPP is much easier compared to an earlier It allows you to create different password policies in the same domain Windows Power Shell History Viewer: You can view the Windows PowerShell commands that relates to the actions you execute in the Active Directory Administrative Center UI
3) Mention which is the default protocol used in directory services?
The default protocol used in directory services is LDAP ( Lightweight Directory Access Protocol).
4) Explain the term FOREST in AD?
Forest is used to define an assembly of AD domains that share a single schema for the AD. All DC’s in the forest share this schema and is replicated in a hierarchical fashion among them.
5) Explain what is SYSVOL?
The SysVOL folder keeps the server’s copy of the domain’s public files. The contents such as users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.
6) Mention what is the difference between domain admin groups and enterprise admins group in AD?
Enterprise Admin Group
- Members of this group have complete control of all domains in the forest
- By default, this group belongs to the administrators group on all domain controllers in the forest
- As such this group has full control of the forest, add users with caution
Domain Admin Group
- Members of this group have complete control of the domain
- By default, this group is a member of the administrators group on all domain controllers, workstations and member servers at the time they are linked to the domain
- As such the group has full control in the domain, add users with caution
7) Mention what system state data contains?
- System state data contains
- Contains startup files
- Registry
- Com + Registration Database
- Memory page file
- System files
- AD information
- SYSVOL Folder
- Cluster service information
8) Mention what is Kerberos?
Kerberos is an authentication protocol for network. It is built to offer strong authentication for
server/client applications by using secret-key cryptography.
9) Explain where does the AD database is held? What other folders are related to AD?
AD database is saved in %systemroot%/ntds. In the same folder, you can also see other files;
these are the main files controlling the AD structures they are
dit
log
res 1.log
log
chk
10) Mention what is PDC emulator and how would one know whether PDC emulator is working or not?
PDC Emulators: There is one PDC emulator per domain, and when there is a failed
authentication attempt, it is forwarded to PDC emulator. It acts as a “tie-breaker” and it
controls the time sync across the domain.
These are the parameters through which we can know whether PDC emulator is working or not.
Time is not syncing
User's accounts are not locked out
Windows NT BDCs are not getting updates
If pre-windows 2000 computers are unable to change their passwords
11) Mention what are lingering objects?
Lingering objects can exists if a domain controller does not replicate for an interval of time that
is longer than the tombstone lifetime (TSL).
12) Mention what is TOMBSTONE lifetime?
Tombstone lifetime in an Active Directory determines how long a deleted object is retained in
Active Directory. The deleted objects in Active Directory is stored in a special object referred as
TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is not set in the
forest configuration.
13) Explain what is Active Directory Schema?
Schema is an active directory component describes all the attributes and objects that the
directory service uses to store data.
14) Explain what is a child DC?
CDC or child DC is a sub domain controller under root domain controller which share name
space
15) Explain what is RID Master?
RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.
16) Mention what are the components of AD?
Components of AD includes
Logical Structure: Trees, Forest, Domains and OU
Physical Structures: Domain controller and Sites
17) Explain what is Infrastructure Master?
Infrastructure Master is accountable for updating information about the user and group and
global catalogue.
18) Define Active Directory
Active Directory is a database
that stores data pertaining to the users within a network as well as the
objects within the network. Active Directory allows the compilation of networks
that connect with AD, as well as the management and administration thereof.
19) What is a domain within Active Directory?
A domain represents the group
of network resources that includes computers, printers, applications and other
resources. Domains share a directory database. The domain is represented by
address of the resources within the database. A domain address generally looks
like 125.170.456. A user can log into a domain to gain access to the resources
that are listed as part that domain.
20) What is the domain controller?
The server that responds to
user requests for access to the domain is called the Domain Controller or DC.
The Domain Controller allows a user to gain access to the resources within the
domain through the use of a single username and password.
21) Explain what domain trees and forests are
Domains that share common
schemas and configurations can be linked to form a contiguous namespace.
Domains within the trees are linked together by creating special
relationships between the domains based on trust.
Forests consist of a number of
domain trees that are linked together within AD, based on various implicit
trust relationships. Forests are generally created where a server setup
includes a number of root DNS addresses. Trees within the forest do not share a
contiguous namespace.
22) What is LDAP?
LDAP is an acronym for
Lightweight Directory Access Protocol and it refers to the protocol used to
access, query and modify the data stored within the AD directories. LDAP is an
internet standard protocol that runs over TCP/IP.
23) Explain what intrasite and intersite replication is and how KCC
facilitates replication
The replication of DC’s inside
a single site is called intrasite replication whilst the replication of DC’s on
different sites is called Intersite replication. Intrasite replication occurs
frequently while Intersite replication occurs mainly to ensure network
bandwidth.
KCC is an acronym for the
Knowledge Consistency Checker. The KCC is a process that runs on all of the
Domain Controllers. The KCC allows for the replication topology of site
replication within sites and between sites. Between sites, replication is done
through SMTP or RPC whilst Intersite replication is done using procedure calls
over IP.
24) Name a few of the tools available in Active Directory and which tool would
you use to troubleshoot any replication issues?
Active Directory tools
include:
·
Dfsutil.exe
·
Netdiag.exe
·
Repadmin.exe
·
Adsiedit.msc
·
Netdom.exe
·
Replmon.exe
Replmon.exe is a graphical
tool designed to visually represent the AD replication. Due to its graphical
nature, replmon.exe allows you to easily spot and deal with replication issues.
25) What tool would you use to edit AD?
Adsiedit.msc is a low level
editing tool for Active Directory. Adsiedit.msc is a Microsoft Management
Console snap-in with a graphical user interface that allows administrators to
accomplish simple tasks like adding, editing and deleting objects with a
directory service. The Adsiedit.msc uses Application Programming Interfaces to
access the Active Directory. Since Adsiedit.msc is a Microsoft Management
Console snap-in, it requires access MMC and a connection to an Active Directory
environment to function correctly.
26) How would you manage trust relationships from the command prompt?
Netdom.exe is another program
within Active Directory that allows administrators to manage the Active
Directory. Netdom.exe is a command line application that allows administrators
to manage trust relationship within Active Directory from the command prompt.
Netdom.exe allows for batch management of trusts. It allows administrators to
join computers to domains. The application also allows administrators to verify
trusts and secure Active Directory channels.
27) Where is the AD database held and how would you create a backup of the
database?
The database is stored within
the windows NTDS directory. You could create a backup of the database by
creating a backup of the System State data using the default NTBACKUP tool
provided by windows or by Symantec’s Netbackup. The System State Backup will
create a backup of the local registry, the Boot files, the COM+, the NTDS.DIT
file as well as the SYSVOL folder.
28) What is SYSVOL, and why is it important?
SYSVOL is a folder that exists
on all domain controllers. It is the repository for all of the active directory
files. It stores all the important elements of the Active Directory group
policy. The File Replication Service or FRS allows the replication of the
SYSVOL folder among domain controllers. Logon scripts and policies are
delivered to each domain user via SYSVOL.
SYSVOL stores all of the
security related information of the AD.
29) Briefly explain how Active Directory authentication works
When a user logs into the
network, the user provides a username and password. The computer sends this
username and password to the KDC which contains the master list of unique long
term keys for each user. The KDC creates a session key and a ticket granting
ticket. This data is sent to the user’s computer. The user’s computer runs the
data through a one-way hashing function that converts the data into the user’s
master key, which in turn enables the computer to communicate with the KDC, to
access the resources of the domain.
