1.What is CA Directory Server? How it Works?
CA Directory is an LDAP Server Implementation from Computer Associates. CA Directory uses Directory Server Analyst(DSAs) of different Types They were discussed below:
•Router DSA: A router DSA has no local data and no datastore. It can only route traffic to other DSAs.
•Data DSA: A data DSA holds data, and queries are routed to it by router DSAs. A data DSA can perform local operations, replicate updates, and route traffic to other DSAs.
•Third-party DSA: This is a DSA from an external vendor.
2. Mention what is Active Directory?
An active directory is a directory structure used on Microsoft Windows based servers and computers to store data and information about networks and domains.
3. Mention what are the new features in Active Directory (AD) of Windows server 2012?
•dcpromo (Domain Controller Promoter) with improved wizard: It allows you to view all the steps and review the detailed results during the installation process.
•Enhanced Administrative Center: Compared to the earlier version of active directory, the administrative center is well designed in Windows 2012. The exchange management console is well designed.
•Recycle bin goes GUI: In windows server 12, there are now many ways to enable the active directory recycle bin through the GUI in the Active Directory Administrative Center, which was not possible with the earlier version.
•Fine grained password policies (FGPP): In windows server 12 implementing FGPP is much easier compared to an earlier It allows you to create different password policies in the same domain.
•Windows PowerShell History Viewer: You can view the Windows PowerShell commands that relates to the actions you execute in the Active Directory Administrative Center UI
4. Mention which is the default protocol used in directory services?
The default protocol used in directory services is LDAP ( Lightweight Directory Access Protocol).
5. Explain the term FOREST in AD?
Forest is used to define an assembly of AD domains that share a single schema for the AD. All DC’s in the forest share this schema and are replicated in a hierarchical fashion among them.
6. Explain what is SYSVOL?
The SysVOL folder keeps the server’s copy of the domain’s public files. The contents such as users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.
7. What are Sysvol Files?
To meet its dual responsibilities of supporting modern group policies and classic system policies and scripts, Active Directory domain controllers host a special folder called Sysvol. The location of the folder is determined during Dcpromo. Sysvol must be on an NTFS volume because folders within Sysvol use reparse points, which are only supported by NTFS.
8.What is File Replication and Sysvol?
The contents of Sysvol are replicated to every domain controller in a domain. It is important that the contents stay in sync. Otherwise, users will get different group policies, system policies, and classic scripts when they log on to different domain controllers.
A service called the File Replication Service, or FRS, is responsible for synchronizing the contents of Sysvol between domain controllers. (The actual service name is Ntfrs, which you may see in Event log entries.) FRS replicates an entire file when any changes are made to the file. To prevent race conditions that could occur if the file were locked, the file is first copied to a Staging folder then replicated to the other domain controllers.
9.What are Locating Active Directory Services?
Active Directory clients use DNS to locate domain controllers. They do this by querying for Service Locator (SRV) records that point at LDAP, Kerberos, and Global Catalog ports on the servers. Refer to RFC 2052, “A DNS RR for Specifying the Location of Services.” (RR stands for Resource Record.)
10.what is the difference between domain admin groups and enterprise admins group in AD?
Members of Enterprise admin group have complete control of all domains in the forest. Members of Domain admin group have complete control of the domain.
11. Mention what system state data contains?
System state data contains were discussed below:
•Contains startup files
•Registry
•Com + Registration Database
•Memory page file
•System files
•AD information
•SYSVOL Folder
•Cluster service information
12.What does Data do?
A data DSA is always associated with a datastore, which stores the data even if the DSA is shut down. The datastore is a memory-mapped file. The DSA uses the in-memory copy of the namespace partition, and relies on the operating system memory mapping functions to keep the file copy on disk up to date.
13. What is Active Directory Naming Contexts?
Active Directory is capable of holding a billion objects. This is enough to hold an account, computer, mailboxes, and group memberships for every person in the western hemisphere. A big Active Directory database is like an NBA center, though. He may be the key to winning, but only if he doesn’t have to move too fast or too often.
The Active Directory database, Ntds.dit, can grow very quickly. The DIT for a domain with 150,000 objects could be well over 2GB depending on the number of groups and the length of the group membership. A DIT this size can be difficult to replicate and manage. Also, it does not make sense to replicate information about users in one continent to domain controllers on other continents unless those users regularly share information.
14. Mention what is Kerberos?
Kerberos is an authentication protocol for networks. It is built to offer strong authentication for server/client applications by using secret-key cryptography.
15. Explain where the AD database is held? What other folders are related to AD?
AD database is saved in %systemroot%/ntds. In the same folder, you can also see other files; these are the main files controlling the AD structures they are
•dit
•log
•res 1.log
•log
•chk
16. Mention what is a PDC emulator and how would one know whether PDC emulator is working or not?
PDC Emulators: There is one PDC emulator per domain, and when there is a failed authentication attempt, it is forwarded to PDC emulator. It acts as a “tie-breaker” and it controls the time sync across the domain.
These are the parameters through which we can know whether a PDC emulator is working or not.
•Time is not syncing
•User’s accounts are not locked out
•Windows NT BDCs are not getting updates
•If pre-windows 2000 computers are unable to change their passwords
17. Mention what are lingering objects?
Lingering objects can exist if a domain controller does not replicate for an interval of time that is longer than the tombstone lifetime (TSL).
18. Mention what is TOMBSTONE lifetime?
Tombstone lifetime in an Active Directory determines how long a deleted object is retained in Active Directory. The deleted objects in Active Directory are stored in a special object referred to as TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is not set in the forest configuration.
19. Explain what an Active Directory Schema is?
Schema is an active directory component describing all the attributes and objects that the directory service uses to store data.
20. Explain what a child DC is?
CDC or child DC is a sub domain controller under root domain controller which shares name space.
21.What are Object Migration Between Domains and Forests?
We cannot build or break Parent/Child and Tree Root trusts after they are formed, so the only way to change your forest structure is to migrate objects between domains. Microsoft provides a utility for performing these object migrations called the Active Directory Migration Tool, or ADMT.
22.What are Tree Root trusts?
This style of trust exists between root domains in the same forest that do not share a common DNS namespace.
23.What are Shortcut and External trusts?
•Shortcut trusts: This style of trust exists between two domains in different trees within the same forest. It is used to expedite Kerberos transactions between the domains. With a shortcut trust in place, a client can obtain a Kerberos ticket directly from the trusted domain without walking the tree.
•External trusts: This style of trust exists between an Active Directory domain and a down level NT4 domain. You can also create an external trust to a Samba domain. An External trust resembles a classic NT trust. It is one-way and non-transitive, meaning it cannot link an entire forest to a down level domain. LDAP searches and Kerberos authentications do not cross the trust boundary.
24.What is meant by Kerberos realm trusts?
This style of trust exists between an Active Directory domain and an MIT v5 Kerberos realm. The trust can be made transitive and two-way.
25.Explain about Compatibility Settings?
For backward compatibility, certain Active Directory features are disabled while domain controllers running something other than Windows Server 2003 are in operation.
A Windows Server 2003 domain faces two compatibility challenges (at least with other Windows servers):
•Operation with down level NT domain controllers
•Operation with Windows 2000 domain controllers
Each of these challenges requires a different compatibility setting.
26.Discuss about the Operation with Downlevel NT Domain Controllers
Active Directory domain controllers can coexist with NT4 Domain Controllers in the same domain. This is called Windows 2000 Mixed. In Mixed, a Windows Server 2003 domain controller designated as the PDC Emulator uses classic LMRepl (LanMan Replication) to deliver selected Active Directory updates to downlevel BDCs.
In Mixed, certain advanced features in Active Directory are disabled because they are incompatible with classic NT4. Here is a list:
•Universal groups: This group type can have members from any domain in a forest and can be placed on access control lists anywhere in a forest.
•Global group nesting: In Native, Global groups from different domains can be nested together and nested into Universal groups.
•Local access to Domain Local groups: In Native, Domain Local groups from Active Directory can be placed on access control lists on member servers and desktops.
•Down level clients can participate in transitive authentication: After a domain is running in Native, the domain controllers can proxy NTLM authentication requests from downlevel clients to give them access to domains that they would not be able to access in a standard NT master/resource domain structure.
27.What is Piling On?
When the domain is upgraded to Active Directory, however, a Kerberos-based client changes a flag in its security database to disable NTLM Challenge-Response and use only Kerberos. This means that if you have deployed a few thousand Windows 2000 or XP desktops in your NT domain, as soon as you upgrade the PDC, all those desktops will scurry to that one machine to authenticate. Microsoft calls this behavior “piling on.”
28. Explain what an RID Master is?
RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.
29. Mention what are the components of AD?
The Components of AD includes:
•Logical Structure: Trees, Forest, Domains and OU
•Physical Structures: Domain controller and Sites.
30. Explain what an Infrastructure Master is?
Infrastructure Master is accountable for updating information about the user and group and global catalogue.
