Latest DNS And Active Directory Interview Questions Part – 2

1.Which port does a DNS Server Use?

UDP port 53

2.A user opens the browser and types the IP address of the webserver on which a website is hosted. Is DNS protocol involved during the scenario?

The DNS protocol is used to resolve the website name into the corresponding IP address. In this case,since the IP address is already known,DNS protocol is not required and is not involved in the scenario.

3.Name two methods by which DNS can be configured on a computer.

It can be manually configured on the TCP/IP adapter or by a DHCP server.

4.If a computer is configured with a default gateway address,should the same address be used as the DNS server IP address?

It is not mandatory. The DNS server IP address can be any value provided the computer has access to it.

5.What is sites? What are they used for?

One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network.

A Site object in Active Directory represents a physical geographic location that hosts networks. Sites contain objects called Subnets. Sites can be used to Assign Group Policy Objects,facilitate the discovery of resources,manage active directory replication,and manage network link traffic.

6.Trying to look at the Schema,how can I do that?

register schmmgmt.dll using this command c:\windows\system32>regsvr32 schmmgmt.dll Open mmc –> add snapin –> add Active directory schema name it as schema.msc Open administrative tool –> schema.msc

7.What is the port no of Kerberos?

88

8.What is the port no of Global catalog?

3268

9.How can you forcibly remove AD from a server,and what do you do later?? Can I get user passwords from the AD database?

Dcpromo /forceremoval ,an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest.

Reboot the server then After you use the dcpromo /forceremoval command,all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers,and therefore you must manually remove it by using the NTDSUTIL command.

In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. You will need the following tool: Ntdsutil.exe,Active Directory Sites and Services,Active Directory Users and Computers.

10.How many root DNS servers are available in the world

1
3.

11.What are the FSMO roles?

Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles:

* Schema master
* Domain naming master
* RID master
* PDC emulator
* Infrastructure master

12.What is domain tree?

Domain Trees:

A domain tree comprises several domains that share a common schema and configuration,forming a contiguous namespace. Domains in a tree are also linked together by trust relationships. Active Directory is a set of one or more trees. Trees can be viewed two ways. One view is the trust relationships between domains. The other view is the namespace of the domain tree.

13.What is forests?

A collection of one or more domain trees with a common schema and implicit trust relationships between them. This arrangement would be used if you have multiple root DNS addresses.

14.How to Select the Appropriate Restore Method?

You select the appropriate restore method by considering: Circumstances and characteristics of the failure. The two major categories of failure,From an Active Directory perspective,are Active Directory data corruption and hardware failure.

Active Directory data corruption occurs when the directory contains corrupt data that has been replicated to all domain controllers or when a large portion of the Active Directory hierarchy has been changed accidentally (such as deletion of an OU) and this change has replicated to other domain controllers.

15.Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?

The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.

16.What is Global Catalog?

The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000,there was typically one GC on every site in order to prevent user logon failures across the network.

17.How long does it take for security changes to be replicated among the domain controllers?

Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies,changes to password policies,changes to computer account passwords,and modifications to the Local Security Authority (LSA).

18.When should you create a forest?

Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities.

Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired,a separately defined tree can enforce more direct administrative and security restrictions.

19.Describe the process of working with an external domain name?

If it is not possible for you to configure your internal domain as a subdomain of your external domain,use a stand-alone internal domain. This way,your internal and external domain names are unrelated.

For example,an organization that uses the domain name contoso.com for their external namespace uses the name corp.internal for their internal namespace. The advantage to this approach is that it provides you with a unique internal domain name. The disadvantage is that this configuration requires you to manage two separate namespaces.

Also,using a stand-alone internal domain that is unrelated to your external domain might create confusion for users because the namespaces do not reflect a relationship between resources within and outside of your network. In addition,you might have to register two DNS names with an Internet name authority if you want to make the internal domain publicly accessible.

20.One easiest way to check all the 5 FSMO roles?

Use netdom query /domain:YourDomain FSMO command. It will list all the FSMO role handling domain controllers.

21.Which FSMO role directly impacting the consistency of Group Policy?

PDC Emulator.

22.Explain the process between a user providing his Domain credential to his workstation and the desktop being loaded? Or how the AD authentication works?

When a user enters a user name and password,the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm. The KDC looks up the user’s master key (KA),which is based on the user’s password.

The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA,the user name,and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC),which only the KDC knows.

The client computer receives the information from the KDC and runs the user’s password through a one-way hashing function,which converts the password into the user’s KA.

The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.

23.Name few port numbers related to Active Directory?

Kerberos 88,LDAP 389,DNS 53,SMB 44

24.Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory?

All versions of Windows Server Active Directory use Kerberos

25.How do you check currently forest and domain functional levels?

Say both GUI and Command line. To find out forest and domain functional levels in GUI mode,open ADUC,right click on the domain name and take properties. Both domain and forest functional levels will be listed there. TO find out forest and domain functional levels,you can use DSQUERY command.