Active Directory Interview Questions

  Q.Define what is Active Directory ? Answer: Active Directory is a Meta Data. Active Directory is a data base which store a data base like your user information, computer information and also other network object info. It has capabilities to manage and administrate  the complete Network which connect with AD. Q.What’s the difference between local, global and universal groups? Answer: Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains. Q.I am trying to create a new universal user group. Why can’t I? Answer: Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory. Q.What is an IP address? Answer: Every device connected to the public Internet is assigned a unique number known as an Internet Protocol (IP) address. IP addresses consist of four numbers separated by periods (also called a 'dotted-quad') and look something like In computer networking, an Internet Protocol (IP) address consists of a numerical identification (logical address) that network management assigns to devices participating in a computer network utilizing the Internet Protocol for communication between its nodes.[Although computers store IP addresses as binary numbers, they often display them in more human-readable notations, such as (for IPv4), and 2001:db8:0:1234:0:567:1:1 (for IPv6). The role of the IP address has been characterized as follows: "A name indicates what we seek. An address indicates where it is. A route indicates how to get there. Q.What is subnet Mask ? Answer: A subnet (short for "subnetwork") is an identifiably separate part of an organization's network. Typically, a subnet may represent all the machines at one geographic location, in one building, or on the same local area network (LAN). Having an organization's network divided into subnets allows it to be connected to the Internet with a single shared network address. Without subnets, an organization could get multiple connections to the Internet, one for each of its physically separate subnetworks, but this would require an unnecessary use of the limited number of network numbers the Internet has to assign. It would also require that Internet routing tables on gateways outside the organization would need to know about and have to manage routing that could and should be handled within an organization. Q.What is ARP? What is ARP Cache Poisoning? Answer: Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. For example, in IP Version 4, the most common level of IP in use today, an address is 32 bits long. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (The physical machine address is also known as a Media Access Control or MAC address.) A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions. Q.How ARP Works ? Answer: When an incoming packet destined for a host machine on a particular local area network arrives at a gateway , the gateway asks the ARP program to find a physical host or MAC address that matches the IP address. The ARP program looks in the ARP cache and, if it finds the address, provides it so that the packet can be converted to the right packet length and format and sent to the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it. A machine that recognizes the IP address as its own returns a reply so indicating. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied. Q.Define what is Active Directory Domain Services ? Answer: In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to AD DS, but the information is also applicable to Active Directory. Q.Define what is domain ? Answer: A domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The ‘domain’ is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469. Q.Define what is domain controller ? Answer: A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination. Q.What is a default gateway? What happens if I don't have one? Answer: a gateway is a routing device that knows how to pass traffic between different subnets and networks. A computer will know some routes (a route is the address of each node a packet must go through on the Internet to reach a specific destination), but not the routes to every address on the Internet. It won't even know all the routes on the nearest subnets. A gateway will not have this information either, but will at least know the addresses of other gateways it can hand the traffic off to. Your default gateway is on the same subnet as your computer, and is the gateway your computer relies on when it doesn't know how to route traffic. The default gateway is typically very similar to your IP address, in that many of the numbers may be the same. However, the default gateway is not your IP address. To see what default gateway you are using, follow the steps below for your operating system. Q.What is a subnet? Answer: In computer networks based on the Internet Protocol Suite, a subnetwork, or subnet, is a portion of the network's computers and network devices that have a common, designated IP address routing prefix (cf. Classless Inter-Domain Routing, CIDR). A routing prefix is the sequence of leading bits of an IP address that precede the portion of the address used as host identifier (or rest field in early Internet terminology). Q.What is APIPA? What is Automatic Private IP Addressing (APIPA)? Answer: Windows 98, 98 SE, Me, and 2000 have an Automatic Private IP Addressing (APIPA) feature that will automatically assign an Internet Protocol address to a computer on which it installed. This occurs when the TCP/IP protocol is installed, set to obtain it's IP address automatically from a Dynamic Host Configuration Protocol server, and when there is no DHCP server present or the DHCP server is not available. The Internet Assigned Numbers Authority (IANA) has reserved private IP addresses in the range of - for Automatic Private IP Addressing. Q.What is an RFC? Name a few if possible (not necessarily the numbers, just the ideas behind them) What is RFC 1918? Answer: Address Allocation for Private Internets February 1996 capabilities of Internet Service Providers. Efforts are in progress within the community to find long term solutions to both of these problems. Meanwhile it is necessary to revisit address allocation procedures, and their impact on the Internet routing system. Q.What is CIDR? Answer: Short for Classless Inter-Domain Routing, an IP addressing scheme that replaces the older system based on classes A, B, and C. With CIDR, a single IP address can be used to designate many unique IP addresses. A CIDR IP address looks like a normal IP address except that it ends with a slash followed by a number, called the IP network prefix. For example: The IP network prefix specifies how many addresses are covered by the CIDR address, with lower numbers covering more addresses. An IP network prefix of /12, for example, can be used to address 1,048,576 former Class C addresses. CIDR addresses reduce the size of routing tables and make more IP addresses available within organizations. CIDR is also called supernetting. Q.You have the following Network ID: What is the IP range for your network? Answer: to Q.You have the following Network ID: You need at least 500 hosts per network. How many networks can you create? What subnet mask will you use? Answer: No of networks = 128 , I User Subnet Mask = Q.You need to view at network traffic. What will you use? Name a few tools ? Answer: Monitoring network traffic tool Q.How do I know the path that a packet takes to the destination? Answer: use "tracert" command-line Q.What does the ping -l 1000 -n 100 command do? Answer: The ping command will send roundtrip packets to a destination ( other PC, router, printer, etc.) and see how long it takes. The is the destination ( which, by the way is a typical default IP address of a router. ) The -l 1000 is how big the packet should be in bytes. The default is 32, if the -l parameter is not used. And the -n 100 is saying to send, it 100 times. The default is 4, when this parameter is not used. Q.What is DHCP? What are the benefits and drawbacks of using it? Answer: DHCP is Dynamic Host Configuration Protocol. In a networked environment it is a method to assign an 'address' to a computer when it boots up. Benefit: A system administrator need not worry about computers being able to access networked resources Q.Benefits of using DHCP Answer: DHCP provides the following benefits for administering your TCP/IP-based network: Safe and reliable configuration DHCP avoids configuration errors caused by the need to manually type in values at each computer. Also, DHCP helps prevent address conflicts caused by a previously assigned IP address being reused to configure a new computer on the network. Reduces configuration management Using DHCP servers can greatly decrease time spent configuring and reconfiguring computers on your network. Servers can be configured to supply a full range of additional configuration values when assigning address leases. These values are assigned using DHCP options. Also, the DHCP lease renewal process helps assure that where client configurations need to be updated often (such as users with mobile or portable computers who change locations frequently), these changes can be made efficiently and automatically by clients communicating directly with DHCP servers. Q.Describe the steps taken by the client and DHCP server in order to obtain an IP address. ? Answer: HCP uses a client-server model. The network administrator establishes one or more DHCP servers that maintain TCP/IP configuration information and provide it to clients. The server database includes the following: Valid configuration parameters for all clients on the network. Valid IP addresses maintained in a pool for assignment to clients, plus reserved addresses for manual assignment. Duration of a lease offered by the server. The lease defines the length of time for which the assigned IP address can be used. With a DHCP server installed and configured on your network, DHCP-enabled clients can obtain their IP address and related configuration parameters dynamically each time they start and join your network. DHCP servers provide this configuration in the form of an address-lease offer to requesting clients. Q.What is the DHCPNACK and when do I get one? Name 2 scenarios.? What does DHCPNACK stand for? Answer: DHCP (Dynamic Host Configuration Protocol) Negative Acknowledgment Q.What ports are used by DHCP and the DHCP clients? Answer: Requests are on UDP port 68, Server replies on UDP 6 Q.Describe the process of installing a DHCP server in an AD infrastructure. . Answer: Open Windows Components Wizard. Under Components, scroll to and click Networking Services. Click Details. Under Subcomponents of Networking Services, click Dynamic Host Configuration Protocol (DHCP), and then click OK. Click Next. If prompted, type the full path to the Windows Server 2003 distribution files, and then click Next. Required files are copied to your hard disk. To authorize a DHCP server in Active Directory Open DHCP. In the console tree, click DHCP. On the Action menu, click Manage authorized servers. The Manage Authorized Servers dialog box appears. Click Authorize. When prompted, type the name or IP address of the DHCP server to be authorized, and then click OK. Active directory interview questions Q.What is DHCPINFORM? Answer: DHCPInform is a DHCP message used by DHCP clients to obtain DHCP options. While PPP remote access clients do not use DHCP to obtain IP addresses for the remote access connection, Windows 2000 and Windows 98 remote access clients use the DHCPInform message to obtain DNS server IP addresses, WINS server IP addresses, and a DNS domain name. The DHCPInform message is sent after the IPCP negotiation is cThe DHCPInform message received by the remote access server is then forwarded to a DHCP server. The remote access server forwards DHCPInform messages only if it has been configured with the DHCP Relay Agent Q.Describe the integration between DHCP and DNS? Answer: Traditionally, DNS and DHCP servers have been configured and managed one at a time. Similarly, changing authorization rights for a particular user on a group of devices has meant visiting each one and making configuration changes. DHCP integration with DNS allows the aggregation of these tasks across devices, enabling a company's network services to scale in step with the growth of network users, devices, and policies, while reducing administrative operations and costs. This integration provides practical operational efficiencies that lower total cost of ownership. Creating a DHCP network automatically creates an associated DNS zone, for example, reducing the number of tasks required of network administrators. And integration of DNS and DHCP in the same database instance provides unmatched consistency between service and management views of IP address-centric network services data Q.What is the BOOTP protocol used for, where might you find it in Windows network infrastructure? Answer: In computing, Bootstrap Protocol, or BOOTP, is a UDP network protocol used by a network client to obtain its IP address automatically. This is usually done during the bootstrap process when a computer is starting up. The BOOTP servers assign the IP address to each client from a pool of addresses. We can find, Bootstrap Protocol in DHCP Pool configuration in CSCO Switchers and Router. Q.DNS zones – describe the differences between the 3 types. Answer: DNS stands for Distributed Name System. A DNS server resolves a name to an IP address, as stated in an earlier answer, but it can also point to multiple IP addresses for load balancing, or for backup servers if one or more is offline or not accepting connections. Individual organizations may have their own DNS servers for their local Intranet. Some sites have their own DNS server to switch between subdomains within them. For example, a site such as Blogspot can have subdomains come and go quite frequently. Rather than force every DNS server to update their own databases whenever someone creates a new blog, Blogspot could maintain their own DNS server to resolve names within the domain, e.g., to distinguish between and ... their DNS server would be queried once is resolved, and it would be responsible for resolving myblog vs. yourblog. The following are the three main components of DNS:

  • Domain name space and associated resource records (RRs) A distributed database of name-related information.
  • DNS Name Servers Servers that hold the domain name space and RRs, and that answer queries from DNS clients.
  • DNS Resolvers The facility within a DNS client that contacts DNS name servers and issues name queries to obtain resource record information.

DNS Zones A DNS server that has complete information for part of the DNS name space is said to be the authority for that part of the name space. This authoritative information is organized into units called zones, which are the main units of replication in DNS. A zone contains one or more RRs for one or more related DNS domains. The following are the three DNS zone types implemented in Windows 2000: Standard Primary Holds the master copy of a zone and can replicate it to secondary zones. All changes to a zone are made on the standard primary. Standard Secondary Contains a read-only copy of zone information that can provide increased performance and resilience. Information in a primary zone is replicated to the secondary by use of the zone transfer mechanism. Active Directory-integrated A Microsoft proprietary zone type, where the zone information is held in the Windows 2000 Active Directory (AD) and replicated using AD replication. Q.DNS record types – describe the most important ones. DNS Resource Records and what Are Resource Records? Answer: An RR is information related to a DNS domain; for example, the host record defining a host IP address. Each RR will contain a common set of information, as follows:

  • Owner Indicates the DNS domain in which the resource record is found.
  • TTL The length of time used by other DNS servers to determine how long to cache information for a record before discarding it. For most RRs, this field is optional. The TTL value is measured in seconds, with a TTL value of 0 indicating that the RR contains volatile data that's not to be cached. As an example, SOA records have a default TTL of 1 hour. This prevents these records from being cached by other DNS servers for a longer period, which would delay the propagation of changes.
  • Class For most RRs, this field is optional. Where it's used, it contains standard mnemonic text indicating the class of an RR. For example, a class setting of IN indicates the record belongs to the Internet (IN) class. At one time there were multiple classes (such as CH for Chaos Net), but today, only the IN class is used.
  • Type This required field holds a standard mnemonic text indicating the type for an For example, a mnemonic of A indicates that the RR stores host address information.
  • Record-Specific Data This is a variable-length field containing information describing the resource. This information's format varies according to the type and class of the RR.

Q.Describe the process of working with an external domain name Answer: If it is not possible for you to configure your internal domain as a subdomain of your external domain, use a stand-alone internal domain. This way, your internal and external domain names are unrelated. For example, an organization that uses the domain name for their external namespace uses the name corp.internal for their internal namespace. The advantage to this approach is that it provides you with a unique internal domain name. The disadvantage is that this configuration requires you to manage two separate namespaces. Also, using a stand-alone internal domain that is unrelated to your external domain might create confusion for users because the namespaces do not reflect a relationship between resources within and outside of your network. In addition, you might have to register two DNS names with an Internet name authority if you want to make the internal domain publicly accessible. Q.Describe the importance of DNS to AD. Answer: When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority. Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet. While fully conforming to the standards established for DNS, Active Directory can expand upon the standard feature set of DNS and offer some new capabilities such as AD-Integrated DNS, which greatly eases the administration required for DNS environments. In addition, Active Directory can easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long as the BIND version is 8.2.x or higher. When Microsoft began development on Active Directory, full compatibility with the domain name system (DNS) was a critical priority. Active Directory was built from the ground up not just to be fully compatible with DNS but to be so integrated with it that one cannot exist without the other. Microsoft's direction in this case did not just happen by chance, but because of the central role that DNS plays in Internet name resolution and Microsoft's desire to make its product lines embrace the Internet. While fully conforming to the standards established for DNS, Active Directory can expand upon the standard feature set of DNS and offer some new capabilities such as AD-Integrated DNS, which greatly eases the administration required for DNS environments. In addition, Active Directory can easily adapt to exist in a foreign DNS environment, such as Unix BIND, as long as the BIND version is 8.2.x or higher.  Q.What does "Disable Recursion" in DNS mean? Answer: In the Windows 2000/2003 DNS console (dnsmgmt.msc), under a server's Properties -> Forwarders tab is the setting Do not use recursion for this domain. On the Advanced tab you will find the confusingly similar option Disable recursion (also disables forwarders). Recursion refers to the action of a DNS server querying additional DNS servers (e.g. local ISP DNS or the root DNS servers) to resolve queries that it cannot resolve from its own database. So what is the difference between these settings? The DNS server will attempt to resolve the name locally, then will forward requests to any DNS servers specified as forwarders. If Do not use recursion for this domain is enabled, the DNS server will pass the query on to forwarders, but will not recursively query any other DNS servers (e.g. external DNS servers) if the forwarders cannot resolve the query. If Disable recursion (also disables forwarders) is set, the server will attempt to resolve a query from its own database only. It will not query any additional servers. If neither of these options is set, the server will attempt to resolve queries normally: the local database is queried if an entry is not found, the request is passed to any forwarders that are set if no forwarders are set, the server will query servers on the Root Hints tab to resolve queries beginning at the root domains. Q.What is a "Single Label domain name" and what sort of issues can it cause? Answer: Single-label names consist of a  single word like "contoso".

  • Single-label DNS  names  cannot  be  registered  by  using  an  Internet  registrar.
  • Client computers and domain controllers that joined to single-label domains require additional configuration to dynamically register DNS records in single-label DNS zones. • Client computers and domain controllers may require additional configuration to resolve DNS queries in single-label DNS zones.
  • By default, Windows Server 2003-based domain members, Windows XP-based domain members, and Windows 2000-based domain members do not perform dynamic updates to single-label DNS zones.

Some server-based applications are incompatible with single-label domain names. Application support may not exist in the initial release of an application, or support may be dropped in a future release. For example, Microsoft Exchange Server 2007 is not supported in environments in which single-label DNS is used. Some server-based applications are incompatible with the domain rename feature that is supported in Windows Server 2003 domain controllers and in Windows Server 2008 domain controllers . These incompatibilities either block or complicate the use of the domain rename feature when you try to rename a single-label DNS name to a fully qualified domain name. Q.What is the "" zone used for? Answer: In a Domain Name System (DNS) environment, it is common for a user or an application to request a Reverse Lookup of a host name, given the IP address. This article explains this process. The following is quoted from RFC 1035: "The Internet uses a special domain to support gateway location and Internet address to host mapping. Other classes may employ a similar strategy in other domains. The intent of this domain is to provide a guaranteed method to perform host address to host name mapping, and to facilitate queries to locate all gateways on a particular network on the Internet. "The domain begins at IN-ADDR.ARPA and has a substructure which follows the Internet Addressing structure. "Domain names in the IN-ADDR.ARPA domain are defined to have up to four labels in addition to the IN-ADDR.ARPA suffix. Each label represents one octet of an Internet address, and is expressed as a character string for a decimal value in the range 0-255 (with leading zeros omitted except in the case of a zero octet which is represented by a single zero). "Host addresses are represented by domain names that have all four labels specified." Reverse Lookup files use the structure specified in RFC 1035. For example, if you have a network which is, then the Reverse Lookup file for this network would be 10.150.IN-ADDR.ARPA. Any hosts with IP addresses in the network will have a PTR (or 'Pointer') entry in 10.150.IN - ADDR.ARPA referencing the host name for that IP address. A single IN- ADDR.ARPA file may contain entries for hosts in many domains. Consider the following scenario. There is a Reverse Lookup file 10.150.IN-ADDR.ARPA with the following contents: Exp : 1.20 IN PTR WS1.ACME.COM. Active Directory Interview Questions            Active Directory Training Q.What are the requirements from DNS to support AD? Answer: When you install Active Directory on a member server, the member server is promoted to a domain controller. Active Directory uses DNS as the location mechanism for domain controllers, enabling computers on the network to obtain IP addresses of domain controllers. During the installation of Active Directory, the service (SRV) and address (A) resource records are dynamically registered in DNS, which are necessary for the successful functionality of the domain controller locator (Locator) mechanism. To find domain controllers in a domain or forest, a client queries DNS for the SRV and A DNS resource records of the domain controller, which provide the client with the names and IP addresses of the domain controllers. In this context, the SRV and A resource records are referred to as Locator DNS resource records. When adding a domain controller to a forest, you are updating a DNS zone hosted on a DNS server with the Locator DNS resource records and identifying the domain controller. For this reason, the DNS zone must allow dynamic updates (RFC 2136) and the DNS server hosting thatzone must support the SRV resource records (RFC 2782) to advertise the Active Directory directory service. For more information about RFCs, see DNS RFCs. If the DNS server hosting the authoritative DNS zone is not a server running Windows 2000 or Windows Server 2003, contact your DNS administrator to determine if the DNS server supports the required standards. If the server does not support the required standards, or the authoritative DNS zone cannot be configured to allow dynamic updates, then modification is required to your existing DNS infrastructure. For more information, see Checklist: Verifying DNS before installing Active Directory and Using the Active Directory Installation Wizard. Important The DNS server used to support Active Directory must support SRV resource records for the Locator mechanism to function. For more information, see Managing resource records. It is recommended that the DNS infrastructure allows dynamic updates of Locator DNS resource records (SRV and A) before installing Active Directory, but your DNS administrator may add these resource records manually after installation. After installing Active Directory, these records can be found on the domain controller in the following location: systemroot\System32\Config\Netlogon.dns Q.How do you manually create SRV records in DNS? Answer: this is on windows server go to run ---> dnsmgmt.msc rightclick on the zone you want to add srv record to and choose "other new record" and choose service location(srv)..... Q.Name 3 benefits of using AD-integrated zones. Answer: Active Directory–integrated DNS enables Active Directory storage and replication of DNS zone databases. Windows 2000 DNS server, the DNS server that is included with Windows 2000 Server, accommodates storing zone data in Active Directory. When you configure a computer as a DNS server, zones are usually stored as text files on name servers that is, all of the zones required by DNS are stored in a text file on the server computer. These text files must be synchronized among DNS name servers by using a system that requires a separate replication topology and schedule called a zone transfer However, if you use Active Directory–integrated DNS when you configure a domain controller as a DNS name server, zone data is stored as an Active Directory object and is replicated as part of domain replication. Q.What are the benefits of using Windows 2003 DNS when using AD-integrated zones? Answer: If your DNS topology includes Active Directory, use Active Directory–integrated zones. Active Directory–integrated zones enable you to store zone data in the Active Directory database. Zone information about any primary DNS server within an Active Directory– integrated zone is always replicated. Because DNS replication is single-master, a primary DNS server in a standard primary DNS zone can be a single point of failure. In an Active Directory–integrated zone, a primary DNS server cannot be a single point of failure because Active Directory uses multimaster replication. Updates that are made to any domain controller are replicated to all domain controllers and the zone information about any primary DNS server within an Active Directory–integrated zone is always replicated. Active Directory–integrated zones:

  • Enable you to secure zones by using secure dynamic update.
  • Provide increased fault tolerance. Every Active Directory–integrated zone can be replicated to all domain controllers within the Active Directory domain or forest. All DNS servers running on these domain controllers can act as primary servers for the zone and accept dynamic updates.
  • Enable replication that propagates changed data only, compresses replicated data, and reduces network traffic.

If you have an Active Directory infrastructure, you can only use Active Directory–integrated zones on Active Directory domain controllers. If you are using Active Directory–integrated zones, you must decide whether or not to store Active Directory–integrated zones in the application directory partition. You can combine Active Directory–integrated zones and file-based zones in the same design. For example, if the DNS server that is authoritative for the private root zone is running on an operating system other than Windows Server 2003 or Windows 2000, it cannot act as an Active Directory domain controller. Therefore, you must use file-based zones on that server. However, you can delegate this zone to any domain controller running either Windows Server 2003 or Windows 2000. You installed a new AD domain and the new (and first) DC has not registered its SRV records in DNS. Name a few possible causes. Q.What are the benefits and scenarios of using Stub zones? Answer: Understanding stub zones A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces. A stub zone consists of:

  • The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone.
  • The IP address of one or more master servers that can be used to update the stub zone.

The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary zone for the delegated domain name. Using stub zones Updated: January 21, 2005 Using stub zones Use stub zones to

  • Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS server hosting both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone.
  • Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone's list of name servers without needing to query the Internet or internal root server for the DNS namespace.
  • Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones and are not an alternative when considering redundancy and load sharing.

There are two lists of DNS servers involved in the loading and maintenance of a stub zone:

  • The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the zone.
  • list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server (NS) resource records.

When a DNS server loads a stub zone, such as, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for the zone The list of master servers may contain a single server or multiple servers and can be changed anytime. For more information, see Configure a stub zone for local master servers. Q.What are the benefits and scenarios of using Conditional Forwarding? Answer: Rather than having a DNS server forward all queries it cannot resolve to forwarders, the DNS server can forward queries for different domain names to different DNS servers according to the specific domain names that are contained in the queries. Forwarding according to these domain-name conditions improves conventional forwarding by adding a second condition to The forwarding process. A conditional forwarder setting consists of a domain name and the IP address of one or more DNS servers. To configure a DNS server for conditional forwarding, a list of domain names is set up on the Windows Server 2003-based DNS server along with the DNS server IP address. When a DNS client or server performs a query operation against a Windows Server 2003-based DNS server that is configured for forwarding, the DNS server looks to see if the query can be resolved by using its own zone data or the zone data that is stored in its cache, and then, if the DNS server is configured to forward for the domain name that is designated in the query (a match), the query is forwarded to the IP address of a DNS Server that is associated with the domain name. If the DNS server has no domain name listed for the name that is designated in the query, it attempts to resolve the query by using standard recursion. Q.What are the differences between Windows Clustering, Network Load Balancing and Round Robin, and scenarios for each use? Answer: Cluster technologies are becoming increasingly important to ensure service offerings meet the requirements of the enterprise. Windows 2000 and Windows Server 2003 support three cluster technologies to provide high availability, reliability and scalability. These technologies are: NLB, CLB and Server cluster. These technologies have a specific purpose and are designed to meet different requirements.

  • Server cluster provides failover support for applications and services that require high availability, scalability and reliability, and is ideally suited for back-end applications and services, such as database servers. Server cluster can use various combinations of active and passive nodes to provide failover support for mission critical applications and services.
  • NLB provides failover support for IP-based applications and services that require high scalability and availability, and is ideally suited for Web tier and front-end NLB clusters can use multiple adapters and different broadcast methods to assist in the load balancing of TCP, UDP and GRE traffic requests.
  • Component Load Balancing provides dynamic load balancing of middle-tier application components that use COM+ and is ideally suited for application servers. CLB clusters use two clusters. The routing cluster can be configured as a routing list on the front-end Web servers or as separate servers that run Server cluster.

Cluster technologies by themselves are not enough to ensure that high availability goals can be met. Multiple physical locations may be necessary to guard against natural disasters and other events that may cause complete service outage. Effective processes and procedures, in addition to good architecture, are the keys to high availability. Round robin is a local balancing mechanism used by DNS servers to share and distribute network resource loads. You can use it to rotate all resource record (RR) types contained in a query answer if multiple RRs are found. By default, DNS uses round robin to rotate the order of RR data returned in query answers where multiple RRs of the same type exist for a queried DNS domain name. This feature provides a simple method for load balancing client use of Web servers and other frequently queried multihomed computers. If round robin is disabled for a DNS server, the order of the response for these queries is based on a static ordering of RRs in the answer list as they are stored in the zone (either its zone file or Active Directory). Q.How do I clear the DNS cache on the DNS server? Answer: To clear DNS Cache do the following:

  1. Start
  2. Run
  3. Type "cmd" and press enter
  4. In the command window type "ipconfig /flushdns"
  5. If done correctly it should say "Successfully flushed the DNS Resolver Cache."

Q.What is the address used for? Answer: WINS server group address. Used to support auto discovery and dynamic configuration of replication for WINS servers. For more information, see WINS replication overview WINS server group address. Used to support auto discovery and dynamic configuration of replication for WINS servers. For more information, see WINS replication overview Q.What is WINS and when do we use it? Answer: Microsoft Windows Internet Name Service (WINS) is an RFC-compliant NetBIOS name- to-IP-address mapping service. WINS allows Windows-based clients to easily locate resources on Transmission Control Protocol/Internet Protocol (TCP/IP) networks. WINS servers maintain databases of static and dynamic resource name—to-IP-address mappings. Because the Microsoft WINS database supports dynamic name and IP address entries, WINS can be used with Dynamic Host Configuration Protocol (DHCP) services to provide easy configuration and administration of Windows-based TCP/IP networks. WINS servers provide the following benefits:

  • Dynamic database that supports NetBIOS computer name registration and name resolution in an environment where the dynamic TCP/IP configuration of DHCP-enabled clients is dynamically configured for TCP/IP.
  • Centralized management of the NetBIOS computer name database and its replication to other WINS servers.
  • Reduction of NetBIOS name query IP broadcast traffic.
  • Support for Windows-based clients (including Windows NT Server, Windows NT Workstation, Windows 95, Windows for Workgroups, and LAN Manager 2.x).
  • Support for transparent browsing across routers for Windows NT Server, Windows NT Workstation, Windows 95, and Windows for Workgroups clients.

to the WINS server. The WINS server returns the destination computer's IP address to the original computer without the need for broadcast traffic. The second reason for using WINS is that it's dynamic. As computers attach to and detach from the network, the WINS databases are updated automatically. This means that you don't have to create a static LMHOST file that the computers can read to determine IP addresses. Q.Can you have a Microsoft-based network without any WINS server on it? What are the "considerations" regarding not using WINS? Answer: A given network should have one or more WINS servers that WINS clients can contact to resolve a computer name to an IP address. It is desirable to have multiple WINS servers installed on an intranet for the following reasons:

  • To distribute the NetBIOS computer name query and registration processing load
  • To provide WINS database redundancy, backup, and disaster recovery

Q.Describe the differences between WINS push and pull replications and Microsoft WINS Server Push and Pull Partners Answer: Microsoft WINS servers communicate with other Microsoft WINS servers to fully replicate their databases with each other. This ensures that a name registered with one WINS server is replicated to all other Microsoft WINS servers within the intranet, providing a replicated and enterprise-wide database. When multiple WINS servers are used, each WINS server is configured as a pull or push partner of at least one other WINS server. The following table describes the pull and push partner types of replication partners. Q.What is the difference between tombstoning a WINS record and simply deleting it? Answer: Through replication and convergence, the record ownership will change from WINS server to WINS server. Eventually, you may many end up with a scenario where a WINS server that owns a record and its direct replication partner has a replica of the record but does not own the record. The problem occurs when no domain controllers refresh the record on the remote WINS server, the records will expire, become tombstoned, and be scavenged out of the database. The following is an example of what could happen Q.Name the NetBIOS names you might expect from a Windows 2003 DC that is registered in WINS. Answer: If a Microsoft Windows NT 3.5-based client computer does not receive a response from the primary Windows Internet Name Service (WINS) server, it queries the secondary WINS server to resolve a NetBIOS name. However, if a NetBIOS name is not found in the primary WINS server's database, a Windows NT 3.5-based client does not query the secondary WINS server. In Microsoft Windows NT 3.51 and later versions of the Windows operating system, a Windows-based client does query the secondary WINS server if a NetBIOS name is not found in the primary WINS server's database. Clients that are running the following versions In Windows NT 3.51, Windows NT 4, Windows 95, Windows 98, Windows 2000, Windows Millennium Edition, Windows XP, and Windows Server 2003, you can specify up to 12 WINS servers. Additional WINS servers are useful when a requested name is not found in the primary WINS server's database or in the secondary WINS server's database. In this situation, the WINS client sends a request to the next server in the list. You can find a list of additional server names in the following registry subkey, where adapter_guid represents the GUID of your adapter: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces \Tcpip_ Note Make sure that the NameServerList registry entry in this subkey has a multistring type (REG_MULTI_SZ). Q.What is TCP/IP and Explain some TCP /IP Protocol ? Answer: TCP/IP (Transmission Control Protocol/Internet Protocol) is the basic communication language or protocol of the Internet. It can also be used as a communications protocol in a private network (either an intranet or an extranet). When you are set up with direct access to the Internet, your computer is provided with a copy of the TCP/IP program just as every other computer that you may send messages to or get information from also has a copy of TCP/IP. TCP/IP is a two -layer program. The higher layer, Transmission Control Protocol, manages the assembling of a message or file into smaller packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message. The lower layer, Internet Protocol, handles the address part of each packet so that it gets to the right destination. Each gateway computer on the network checks this address to see where to forward the message. Even though some packets from the same message are routed differently than others, they'll be reassembled at the destination. TCP/IP uses the client/server model of communication in which a computer user (a client) requests and is provided a service (such as sending a Web page) by another computer (a server) in the network. TCP/IP communication is primarily point-to -point, meaning each communication is from one point (or host computer) in the network to another point or host computer. TCP/IP and the higher-level applications that use it are collectively said to be "stateless" because each client request is considered a new request unrelated to any previous one (unlike ordinary phone conversations that require a dedicated connection for the call duration). Being stateless frees network paths so that everyone can use them continuously. (Note that the TCP layer itself is not stateless as far as any one message is concerned. Its connection remains in place until all packets in a message have been received.) Many Internet users are familiar with the even higher layer application protocols that use TCP/IP to get to the Internet. These include the World Wide Web's Hypertext Transfer Protocol (HTTP), the File Transfer Protocol (FTP), Telnet (Telnet ) which lets you logon to remote computers, and the Simple Mail Transfer Protocol (SMTP). These and other protocols are often packaged together with TCP/IP as a "suite." Personal computer users with an analog phone modem connection to the Internet usually get to the Internet through the Serial Line Internet Protocol (SLIP) or the Point- to-Point Protocol (PPP). These protocols encapsulate the IP packets so that they can be sent over the dial-up phone connection to an access provider's modem. Protocols related to TCP/IP include the User Datagram Protocol (UDP), which is used instead of TCP for special purposes. Other protocols are used by network host computers for exchanging router information. These include the Internet Control Message Protocol (ICMP), the Interior Gateway Protocol (IGP), the Exterior Gateway Protocol (EGP), and the Border Gateway Protocol (BGP). Q.What is NetBios ? Answer: Netbios.exe is a NetBIOS programming sample that implements an echo server and client. The sample illustrates how a client and server should be written in order to make the application protocol and LAN Adapter (LANA) independent. It also shows how to avoid common mistakes programmers frequently make when writing NetBIOS applications under WIN32. Q.Describe the role of the routing table on a host and on a router. Answer: In internetworking, the process of moving a packet of data from source to destination. Routing is usually performed by a dedicated device called a router. Routing is a key feature of the Internet because it enables messages to pass from one computer to another and eventually reach the target machine. Each intermediary computer performs routing by passing along the message to the next computer. Part of this process involves analyzing a routing table to determine the best path. (row´ter) (n.) A device that forwards data packets along networks. A router is connected to at least two networks, commonly two LANs or WANs or a LAN and its ISP’s network. Routers are located at gateways, the places where two or more networks connect. Routers use headers and forwarding tables to determine the best path for forwarding the packets, and they use protocols such as ICMP to communicate with each other and configure the best route between any two hosts. Very little filtering of data is done through routers. Q.Defined OSI model ? Answer: The 'Open Systems Interconnection Basic Reference Model' (OSI Reference Model or OSI Model) is an abstract description for layered communications and computer network protocol design. It was developed as part of the Open Systems Interconnection (OSI) initiative. In its most basic form, it divides network architecture into seven layers which, from top to bottom, are the Application, Presentation, Session, Transport, Network, Data-Link, and Physical Layers. It is therefore often referred to as the OSI Seven Layer Model.

  • The Physical Layer defines the electrical and physical specifications for devices. In particular, it defines the relationship between a device and a physical medium. This includes the layout of pins, voltages, cable specifications, Hubs, repeaters, network adapters, Host Bus Adapters (HBAs used in Storage Area Networks) and more.

To understand the function of the Physical Layer in contrast to the functions of the Data Link Layer, think of the Physical Layer as concerned primarily with the interaction of a single device with a medium, where the Data Link Layer is concerned more with the interactions of multiple devices (i.e., at least two) with a shared medium. The Physical Layer will tell one device how to transmit to the medium, and another device how to receive from it (in most Cases it does not tell the device how to connect to the medium). Obsolescent Physical Layer standards such as RS-232 do use physical wires to control access to the medium. 2 Data Link Layer The Data Link Layer provides the functional and procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the Physical Layer. Originally, this layer was intended for point-to-point and point-to-multipoint media, characteristic of wide area media in the telephone system. Local area network architecture, which included broadcast-capable multiaccess media, was developed independently of the ISO work, in IEEE Project 802. IEEE work assumed sublayering and management functions not required for WAN use. In modern practice, only error detection, not flow control using sliding window, is present in modern data link protocols such as Point-to-Point Protocol (PPP), and, on local area networks, the IEEE 802.2 LLC layer is not used for most protocols on Ethernet, and, on other local area networks, its flow control and acknowledgment mechanisms are rarely used. Sliding window flow control and acknowledgment is used at the Transport Layer by protocols such as TCP, but is still used in niches where X.25 offers performance advantages. Both WAN and LAN services arrange bits, from the Physical Layer, into logical sequences called frames. Not all Physical Layer bits necessarily go into frames, as some of these bits are purely intended for Physical Layer functions. For example, every fifth bit of the FDDI bit stream is not used by the Data Link Layer. 3 The Network Layer provides the functional and procedural means of transferring variable length data       sequences from a source to a destination via one or more networks, while maintaining the quality of service requested by the Transport Layer. The Network Layer performs network routing functions, and might also perform fragmentation and reassembly, and report delivery errors. Routers operate at this layer—sending data throughout the extended network and making the Internet possible. This is a logical addressing scheme – values are chosen by the network engineer. The addressing scheme is hierarchical.The best-known example of a Layer 3 protocol is the Internet Protocol (IP). It manages the connectionless transfer of data one hop at a time, from end system to ingress router, router to router, and from egress router to destination end system. It is not responsible for reliable delivery to a next hop, but only for the detection of errored packets so they may be discarded. When the medium of the next hop cannot accept a packet in its current length, IP is responsible for fragmenting into sufficiently small packets that the medium can accept it.A number of layer management protocols, a function defined in the Management Annex, ISO 7498/4, belong to the Network Layer. These include routing protocols, multicast group management, Network Layer information and error, and Network Layer address assignment. It is the function of the payload that makes these belong to the Network Layer, not the protocol that carries them. 4 Transport Layer The Transport Layer provides transparent transfer of data between end users, providing reliable data transfer services to the upper layers. The Transport Layer controls the reliability of a given link through flow control, segmentation/desegmentation, and error control. Some protocols are state and connection oriented. This means that the Transport Layer can keep track of the segments and retransmit those that fail. Although not developed under the OSI Reference Model and not strictly conforming to the OSI definition of the Transport Layer, the best known examples of a Layer 4 protocol are the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). 5 The Session Layer controls the dialogues/connections (sessions) between computers. It establishes, manages and terminates the connections between the local and remote application. It provides for full-duplex, half-duplex, or simplex operation, and establishes checkpointing, adjournment, termination, and restart procedures. The OSI model made this layer responsible for "graceful close" of sessions, which is a property of TCP, and also for session checkpointing and recovery, which is not usually used in the Internet Protocol Suite. The Session Layer is commonly implemented explicitly in application environments that use remote procedure calls (RPCs). Layer 6: Presentation Layer The Presentation Layer establishes a context between Application Layer entities, in which the higher-layer entities can use different syntax and semantics, as long as the Presentation Service understands both and the mapping between them. The presentation service data units are then encapsulated into Session Protocol Data Units, and moved down the stack. The original presentation structure used the Basic Encoding Rules of Abstract Syntax Notation One (ASN.1), with capabilities such as converting an EBCDIC-coded text file to an ASCII -coded file, or serializing objects and other data structures into and out of XML. ASN.1 has a set of cryptographic encoding rules that allows end-to-end encryption between application entities. 7 Application Layer The application layer is the OSI layer closest to the end user, which means that both the OSI application layer and the user interact directly with the software application. This layer interacts with software applications that implement a communicating component. Such application programs fall outside the scope of the OSI model. Application layer functions typically include identifying communication partners, determining resource availability, and synchronizing communication. When identifying communication partners, the application layer determines the identity and availability of communication partners for an application with data to transmit. When determining resource availability, the application layer must decide whether sufficient network resources for the requested communication exist. In synchronizing communication, all communication between applications requires cooperation that is managed by the application layer. Some examples of application layer implementations include Telnet, File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP). Q.Define what is LDAP ? Answer: Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2. Q.What are routing protocols? Why do we need them? Name a few. Answer: routing protocol is a protocol that specifies how routers communicate with each other to disseminate information that allows them to select routes between any two nodes on a network. Typically, each router has a prior knowledge only of its immediate neighbors. A routing protocol shares this information so that routers have knowledge of the network topology at large. For a discussion of the concepts behind routing protocols, see: Routing. The term routing protocol may refer more specifically to a protocol operating at Layer 3 of the OSI model which similarly disseminates topology information between routers. Many routing protocols used in the public Internet are defined in documents called RFCs.  There are three major types of routing protocols, some with variants: link-state routing protocols, path vector protocols and distance vector routing protocols. The specific characteristics of routing protocols include the manner in which they either prevent routing loops from forming or break routing loops if they do form, and the manner in which they determine preferred routes from a sequence of hop costs and other preference factors.

  • IGRP (Interior Gateway Routing Protocol)
  • EIGRP (Enhanced Interior Gateway Routing Protocol)
  • OSPF (Open Shortest Path First)
  • RIP (Routing Information Protocol)
  • IS-IS (Intermediate System to Intermediate System)

Q.What are router interfaces? What types can they be? Answer: The interfaces on a router provide network connectivity to the router. The console and auxiliary ports are used for managing the router. Routers also have ports for LAN and WAN connectivity. The LAN interfaces usually include Ethernet, Fast Ethernet, Fiber Distributed Data Interface (FDDI), or Token Ring. The AUI port is used to provide LAN connectivity. You can use a converter to attach your LAN to the router. Some higher-end routers have separate interfaces for  ATM(Asynchronous Transfer Mode) as well. Sync and Async serial interfaces are used for WAN connectivity. ISDN (Integrated Services Digital Network) interfaces are used to provide the ISDN connectivity. Using ISDN, you can transmit both voice and data. Bas Topology To prevent collisions senses multi access /collision detection CSMA/CD is used in Ethernet .one way transferring data . Ethernet is one of the earliest LAN technologies. An Ethernet LAN typically uses special grades of twisted pair cabling. Ethernet networks can also use coaxial cable, but this cable medium is becoming less common. The most commonly installed Ethernet systems are called 10BaseT. The router provides the interfaces for twisted pair cables. A converter can be attached to the AUI port of a router to connect to a 10base2, 10baseT, or 10base5 LAN interface. Ethernet and Token Ring use MAC addressing (physical addressing). The Ethernet interfaces on the router are E0, E1, E2, and so on. E stands for Ethernet, and the number that follows represents the port number. These interfaces provide connectivity to an Ethernet LAN. In a non-modular Cisco router, the Ethernet ports are named as above, but in modular routers they are named as E0/1, where E stands for Ethernet, 0 stands for slot number, and 1 stands for port number in that slot. Token Ring Topology Token Ring is the second most widely used LAN technology after Ethernet, where all computers are connected in a logical ring topology. Physically, each host attaches to an MSAU (Multistation Access Unit) in a star configuration. MSAU’s can be chained together to maintain the logical ring topology. An empty frame called a token is passed around the network. A device on the network can transmit data only when the empty token reaches the device. This eliminates collisions on a Token Ring network. Token Ring uses MAC addresses Just like any other LAN technology. The Token Ring interfaces on a non-modular router are To0, To1, To2 and so on. “To” stands for Token Ring and the number following “To” signifies the port number. In a modular router, “To” will be followed by the slot number/port number FDDI Fiber Distributed Data Interface (FDDI) is a LAN technology that uses fiber optic cable. FDDI is a ring topology that uses four-bit symbols rather than eight-bit octets in its frames. The 48-bit MAC addresses have 12 four -bit symbols for FDDI. FDDI is very fast and provides a data transfer rate of 100 Mbps and uses a token-passing mechanism to prevent collisions. FDDI uses two rings with their tokens moving in opposite directions to provide redundancy to the network. Usually only one ring is active at a given time. If one ring breaks, the other ring is used and the network does not experience downtime. FDDI interfaces on a non-modular Cisco router are F0, F1, F2 and so on. “F” stands for FDDI and the number following “F” signifies the port number. In a modular router, a slot number/port number will follow “F”. ISDN Integrated Services Digital Network (ISDN) is a set of ITU-T (Telecommunication Standardization Sector of the International Telecommunications Union) standards for digital transmission over ordinary telephone copper wire as well as over other media. ISDN provides the integration of both analog or voice data together with digital data over the same network. ISDN has two levels of service:

  • Basic Rate Interface (BRI)
  • Primary Rate Interface (PRI)

The BRI interfaces for ISDN on a non -modular router are BRI0, BRI1, and so on, with the number following “BRI” signifying the port number. In a modular router, BRI is followed by the slot number/port number. Synchronous transmission signals Occur at the same clock rate and all clocks are based on a single reference clock. Since asynchronous transmission is a character-by-character transmission type, each character is delimited by a start and stop bit, therefore clocks are not needed in this type of transmission. Synchronous communication requires a response at the end of each exchange of frames, while asynchronous communications do not require responses. Support for the Synchronous Serial interface is supplied on the Multiport Communications Interface (CSC-MCI) and the Serial Port Communications Interface (CSC-SCI) network interface cards. The Asynchronous Serial interface is provided by a number of methods, including RJ-11, RJ-45, and 50-pin Telco connectors. Some ports can function both as Synchronous Serial interfaces and Asynchronous Serial interfaces. Such ports are called Async/Sync ports. The Async/Sync ports support Telco and RJ-11 connectors.   Q.What is the real difference between NAT and PAT? Answer: Port Address Translation (PAT) is a special kind of Network Address Translation (NAT). It can provide an excellent solution for a company that has multiple systems that need to access the Internet but that has only a few public IP addresses. Let's take a look at the distinctions between NAT and PAT and see how they are typically used. Then, I'll show you how to configure PAT on a Cisco router. Understanding PAT and NAT Before discussing PAT, it will help to describe what NAT does in general. NAT was designed to be a solution to the lack of public IP addresses available on the Internet. The basic concept of NAT is that it allows inside/internal hosts to use the private address spaces (10/8, 172.16/12, and 192.168/16 networks—see RFC1918), go through the internal interface of a router running NAT, and then have the internal addresses translated to the router's public IP address on the external interface that connects to the Internet. If you dig into NAT a little deeper, you will discover that there are really three ways to configure it. From these configurations, you can perform a variety of functions. Q.What is VPN? What types of VPN does Windows 2000 and beyond work with natively? Answer: Microsoft defines a virtual private network as the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates point-to-point private link (such as a dial-up or long haul T-Carrier-based WAN link). Virtual private networking is the act of creating and configuring a virtual private network. To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Packets that are intercepted on the shared or public network are indecipherable without the encryption keys. The link in which the private data is encapsulated and encrypted is a VPN connection. There are two key VPN scenarios—remote access and site-to-site. In remote access, the communications are encrypted between a remote computer (the VPN client) and the remote access VPN gateway (the VPN server) to which it connects. In site-to-site (also known as router-to -router), the communications are encrypted between two routers (VPN gateways) that link two sites. Q.What are the benefits of using VPN connections? Answer: For remote access connections, an organization can use VPN connections to leverage the worldwide connectivity of the Internet and trade their direct-dial remote access solutions (and their corresponding equipment and maintenance costs) for a single connection to an Internet service provider (ISP) without sacrificing the privacy of a dedicated dial-up connection. For routed connections, an organization can use VPN connections to leverage the worldwide connectivity of the Internet and trade long-distance dial-up or leased lines for simple connections to an Internet service provider (ISP) without sacrificing the privacy of a dial-up or dedicated site-to-site link. Q.What is IAS? In what scenarios do we use it? Answer: IAS is the Windows implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy in Windows Server 2003. In Windows Server 2008, the RADIUS server and proxy implementation is known as Network Policy Server (NPS). What is IAS? IAS is the Windows implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy in Windows Server 2003. In Windows Server 2008, the RADIUS server and proxy implementation is known as Network Policy Server (NPS). Internet Authentication Service Internet Authentication Service (IAS) in Microsoft® Windows Server® 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access including wireless, authenticating switch, and remote access dial-up and virtual private network (VPN) connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. RADIUS is an Internet Engineering Task Force (IETF) standard. For more detailed information, see Features of IAS To optimize IAS authentication and authorization response times and minimize network traffic, install IAS on a domain controller. When universal principal names (UPNs) or Windows Server 2003 domains are used, IAS uses the global catalog to authenticate users. To minimize the time it takes to do this, install IAS on either a global catalog server or a server that is on the same subnet. For more information, see The role of the global catalog. For more information about domain functionality, see Domain and forest functionality. When you have remote RADIUS server groups configured and, in IAS Connection Request Policies, you clear the Record accounting information on the servers in the following remote RADIUS server group check box, these groups are still sent network access server (NAS) start and stop notification messages. This creates unnecessary network traffic. To eliminate this traffic, disable NAS notification forwarding for individual servers in each remote RADIUS server group by clearing the Forward network start and stop notifications to this server check box. For more information, see Configure the authentication and accounting settings of a group member and Configure accounting. Q.What's the difference between Mixed mode and Native mode in AD when dealing with RRAS? Answer: Like Windows 2000 and Active Directory, Exchange 2000 also has native and mixed modes of operation. Moving your Exchange organization to native mode offers advantages over mixed mode, but you must thoroughly understand the differences between native and mixed mode before planning a switch to native mode. By default, Exchange 2000 installs and operates in mixed mode. Mixed mode allows Exchange 2000 and Exchange 5.5 servers to coexist and communicate. However, this backward compatibility limits administrative flexibility. Under mixed mode, Exchange 5.5 sites map directly to administrative groups and administrative groups map directly to Exchange 5.5 sites. All servers in a site must use a common service account, just as with Exchange 5.5. In addition, routing groups only contain servers from a single administrative group. Native mode allows more flexibility than mixed mode. With Exchange in native mode, you can place servers from multiple administrative groups into a single routing group, and you can move servers between routing groups. You can do away with the requirement that all servers in a site must use a common service account. Additionally, operating in native mode allows you to move mailboxes between servers in the organization (removing the intersite mailbox move limitation in Exchange 5.5). For some companies, this enhanced mailbox move capability is reason enough to switch to native mode. Q.What's the difference between Mixed mode and Native mode in AD when dealing with RRAS? Answer: The domain functional levels that can be set for Active Directory in Windows Server 2003 are listed below. The Windows 2000 Mixed and Windows Native domain functional levels were available in Windows 2000 to enable backward compatibility to operating systems such as Windows NT 4.0. The latter two functional levels are only available with Windows Server 2003.

  • Windows 2000 Mixed: This is the default functional level implemented when you install a Windows Server 2003 domain controller. The basic Active Directory features are available when this mode is configured.
  • Windows 2000 Native: In Windows 2000 Native functional level, the backup domain controllers of Windows NT is not supported as domain controllers in the domain. Only Windows 2000 domain controllers and Windows Server 2003 domain controllers are supported.

The main differences between Windows 2000 Mixed and Windows 2000 Native when discussing Active Directory features is that features like group nesting, or using Universal Groups and Security ID Histories (SIDHistory) is not available in Windows 2000 Mixed, but is available in Windows 2000 Native.

  • Windows Server 2003 Interim: This functional level is used when Windows NT domains are directly upgraded to Windows Server 2003. Windows Server 2003 Interim is basically identical to Windows 2000 Native. The key point to remember on Windows Server 2003 Interim is that this functional level is used when the forests in your environment do not have Windows 2000 domain controllers.
  • Windows Server 2003: This domain functional level is used when the domain only includes Windows Server 2003 domain controllers.

The features available for the new Windows Server 2003 Interim and Windows Server 2003 domain functional levels are discussed later on in this article. The forest functional level can also be raised to enable additional Active Directory features. You have to though first raise the functional of domains within a forest before you can raise the forest functional level to Windows Server 2003. The domain functional level in this case has to be Windows 2000 Native or Windows Server 2003 before you raise the forest functional level. Domain controllers in the domains of the forest automatically have their functional level set to Windows Server 2003 when you raise the forest functional level to Windows Server 2003. Additional Active Directory features are immediately available for each domain in the forest. The forest functional levels that can be set for Active Directory in Windows Server 2003 listed below.

  • Windows 2000: In this forest functional level, Windows NT, Windows 2000 and Windows Server 2003 domain controllers can exist in domains.
  • Windows Server 2003 Interim: Windows NT backup domain controllers and Windows Server 2003 domain controllers can exist in domains.
  • Windows Server 2003: The domain controllers are all running Windows Server 2003.

Your Exchange organization is a candidate for native mode operation if you have no remaining Exchange 5.5 servers--or plans to add any--and you don't require Exchange 5.5 connectors. Now that you know about native vs. mixed mode, you may want to start planning a switch to native mode. While making the switch isn't difficult, it's permanent. Begin testing and refining your plan for switching to native mode in a lab environment now. Active Directory Interview Questions                          Active Directory Online Training Q.Where is the AD database held? What other folders are related to AD? Answer: Active Directory Structure Active Directory has a hierarchical structure that consists of various components which mirror the network of the organization. The components included in the Active Directory hierarchical structure are listed below:

  • Sites
  • Domains
  • Domain Trees
  • Forests
  • Organizational Units (OUs)
  • Objects
  • Domain Controllers
  • Global Catalog
  • Schema

The Global Catalog and Schema components actually manage the Active Directory hierarchical structure. In Active Directory, logically grouping resources to reflect the structure of the organization enables you to locate resources using the resource's name instead of its physical location. Active Directory logical structures also enable you to manage network accounts and shared resources. The components of Active Directory that represent the logical structure in an organization are:

  • Domains, Organizational Units (OUs), Trees, Forests, Objects

The components of Active Directory that are regarded as Active Directory physical structures are used to reflect the organization's physical structure. The components of Active Directory that are physical structures are:

  • Sites, Subnets, Domain Controllers

The following section examines the logical and physical components of Active Directory. A domain in Active Directory consists of a set of computers and resources that all share a common directory database which can store a multitude of objects. Domains contain all the objects that exist in the network. Each domain contains information on the objects that they contain. In Active Directory, domains are considered the core unit in its logical structure. Domains in Active Directory actually differ quite substantially from domains in Windows NT networks. In Windows NT networks, domains are able to store far less objects than what Active Directory domains can store. Windows NT domains are structured as peers to one another. What this means is that you cannot structure domains into a hierarchical structure. Active Directory domains on the other hand can be organized into a hierarchical structure through the use of forests and domain trees. An Active Directory domain holds the following:

  • Logical partition of users and groups
  • All other objects in the environments

In Active Directory, domains have the following common characteristics:

  • The domain contains all network objects
  • The domain is a security boundary – access control lists (ACLs) control access to the objects within a domain.

Within a domain, objects all have the following common characteristics:

  • Group Policy and security permissions
  • Hierarchical object naming
  • Hierarchical properties
  • Trust relationships

The majority of components in Active Directory are objects. In Active Directory, objects represent network resources in the network. Objects in Active Directory have a unique name that identifies the object. This is known as the distinguished name of the object. Objects can be organized and divided into object classes. Object classes can be regarded as the logical grouping of objects. An object class contains a set of object attributes which are characteristics of objects in the directory. Attributes can be looked at as properties that contain information on characteristics and configurations. The Active Directory objects that an Administrator would most likely be concerned with managing are users, groups and computers. In Active Directory, the main groups are security groups and distribution groups. It is easier to place users into groups and then assign permissions to network resources via these groups. Through implementing groups and using groups effectively, you would be in a good position to manage security and permissions in Active Directory. Organizational units (OUs) can be considered logical units that can be used to organize objects into logical groups. OUs can be hierarchically arranged within a domain. An organization unit can contain objects such as user accounts, groups, computers, shared resources, and other OUs. You can also assign permissions to OUs to delegate administrative control. Domains can have their own OU hierarchy. Organizational units are depicted as folders in the Active Directory Users And Computers administrative tool. In Active Directory, a domain tree is the grouping of one or multiple Windows 2000 or Windows Server 2003 domains. Domain trees are essentially a hierarchical arrangement of these domains. Domain trees are created by adding child domains to a parent domain. Domains that are grouped into a domain tree have a hierarchical naming structure and also share a contiguous namespace. Multiple domains are typically utilized to:

  • Improve performance
  • Decentralize administration
  • Manage and control replication in Active Directory
  • Through the utilization of multiple domains, you can implement different security policies for each domain.
  • Multiple domains are also implemented when the number of objects in the directory is quite substantial.

A forest in Active Directory is the grouping of one or multiple domain trees. The characteristics of forests are summarized below:

  • Domains in a forest share a common schema and global catalog, and are connected by implicit two-way transitive trusts. A global catalog is used to increase performance in Active Directory when users search for attributes of an object. The global catalog server contains a copy of all objects in its associated host domain, as well as a partial copy of objects in the other domains in the forest.
  • Domains in a forest function independently, with the forest making communication possible with the whole organization.
  • Domain trees in a forest do not have the same naming structures.

In Active Directory, a site is basically the grouping of one or more Internet Protocol (IP) subnets which are connected by a reliable high-speed link. Sites normally have the same boundaries as a local area network (LAN). Sites should be defined as locations that enable fast and cheap network access. Sites are essentially created to enable users to connect to a domain controller using the reliable high-speed link; and to optimize replication network traffic. Sites determine the time and the manner in which information should be replicated between domain controllers. A site contains the objects listed below that are used to configure replication among sites.

  • Computer objects
  • Connection objects

A domain controller is a computer running Windows 2000 or Windows Server 2003 that contains a replica of the domain directory. Domain controllers in Active Directory maintain the Active Directory data store and security policy of the domain. Domain controllers therefore also provide security for the domain by authenticating user logon attempts. The main functions of domain controllers within Active Directory are summarized in the following section:

  • Each domain controller in a domain stores and maintains a replica of the Active Directory data store for the particular domain.
  • Domain controllers in Active Directory utilize multimaster replication. What this means is that no single domain controller is the master domain controller. All domain controllers are considered peers.
  • Domain controllers also automatically replicate directory information for objects stored in the domain between one another.
  • Updates that are considered important are replicated immediately to the remainder of the domain controllers within the domain.
  • Implementing multiple domain controllers within a domain provides fault tolerance for the domain.
  • In Active Directory, domain controllers can detect collisions. Collisions take place when an attribute modified on one particular domain, is changed on a different domain controller prior to the change on the initial domain controller being fully propagated.

Apart from domain controllers, you can have servers configured in your environment that operate as member servers of the domain but who do not host Active Directory information. Member servers do not provide any domain security functions either such as authenticating users. Typical examples of member servers are file servers, print servers, and Web servers. Standalone severs on the other hand operate in workgroups and are not members of the Active Directory domain. Standalone servers have, and manage their own security databases. Active Directory Namespace Structure The Domain Name System (DNS) is the Internet service that Active Directory utilizes to structure computers into domains. DNS domains have a hierarchical structure that identifies computers, organizational domains and top-level domains. Because DNS also maps host names to numeric Transmission Control Protocol/Internet Protocol (TCP/IP) addresses, you define the Active Directory domain hierarchy on an Internet-wide basis, or privately. Because DNS is an important component of Active Directory, it has to be configured before you install Active Directory. The information typically stored in Active Directory can be categorized as follows:

  • Network security entities: This category contains information such as users, groups, computers, applications.
  • Active Directory mechanisms: This category includes permissions, replication, and network services.
  • Active Directory schema: Active Directory objects that define the attributes and classes in Active Directory are included here.

To ensure compatibility with the Windows NT domain model, Active Directory is designed and structured on the idea of domains and trust relationships. Because the SAM databases in Windows NT could not be combined, domains have to be joined using trust relationships. With Active Directory, a domain defines the following:

  • A namespace
  • A naming context
  • A security structure
  • A management structure

Within the domain, you have users and computers that are members of the domain, and group policies. In Active Directory, you can only create a naming context at a domain boundary, or by creating an Application naming context. An Application naming context is a new Active Directory feature introduced in Windows Server 2003. Other than a Domain naming context, each installation of Active Directory must have a Schema naming context, and a Configuration naming context.

  • Schema naming context: Domain controllers in the forest each have a read-only replica of the Schema naming context which contains the ClassSchema and AttributeSchema objects. These objects signify the classes and attributes in Active Directory. The domain controller acting the role of Schema Role Master is the only domain controller that can change the schema.
  • Configuration naming context: Domain controllers in the forest each have a read and write replica of the Configuration naming context. The Configuration naming context contains the top-level containers listed below which basically manage those services that support Active Directory:

o Display Specifiers container: Objects which change the attributes that can be viewed for the remainder of the object classes are stored in this container. Display Specifiers supply localization and define context menus and property pages. Localization deals with determining the country code utilized during installation, and then moves all content via the proper Display Specifier. Context menus and property pages are defined for each user according to whether the user attempting to access a particular object has Administrator privileges.

  • Extended Rights container: Because you can assign permissions to objects and the properties of an object, Extended Rights merges various property permissions to form a single unit. In this manner, Extended Rights manages and controls access to objects.
  • Lost and Found Config container: The Domain naming context and Configuration context each have a Lost and Found Config container that holds objects which have gone astray.
  • Partitions container: The Partitions container contains the cross-reference objects that depict all the other domains in a forest. The Partitions container's data is referenced by domain controllers when they create referrals to these domains. The data in the Partitions container can only be altered by a single domain controller within the forest.
  • Physical Locations container: The Physical Locations container contains physical Location DN objects which are related to Directory Enabled Networking (DEN).
  • Services container: This container stores the objects of distributed applications and is replicated to all domain controllers within the forest. You can view the contents of the container in the Active Directory Sites and Services console.
  • Sites container: The objects stored in the Sites container control Active Directory replication, among other site functions. You can also view the

contents of this container in the Active Directory Sites and Services console.

  • Well-Known Security Principals container: This container stores the names and unique Security Identifiers (SIDs) for groups such as Interactive and Network.

Replication and Active Directory In Active Directory, directory data that is classified into the categories listed below are replicated between domain controllers in the domain:

  • Domain data includes information on the objects stored in a particular domain. This includes objects for user accounts, Group Policy, shared resources and OUs.
  • Configuration data includes information on the components of Active Directory that illustrates the structure of the directory. Configuration data therefore define the domains, trees, forests and location of domain controllers and global catalog servers.
  • Schema data lists the objects and types of data that can be stored in Active Directory.

Active Directory utilizes multimaster replication. This means that changes can be made to the directory from any domain controller because the domain controllers operate as peers. The domain controller then replicates the changes that were made. Domain data is replicated to each domain controller within that domain. Configuration data and schema data are replicated to each domain in a domain tree and forest. Objects stored in the domain are replicated to global catalogs. A subset of object properties in the forest is also replicated to global catalogs. Replication that occurs within a site is known as intra-site replication. Replication between sites is known as inter-site replication Support Files of Active Directory The Active Directory support files are listed below. These are the files that you specify a location for when you promote a server to a domain controller:

  • dit (NT Directory Services): Ntds.dit is the core Active Directory database. This file on a domain controller lists the naming contexts hosted by that particular domain controller.
  • log: The Edb.log file is a transaction log. When changes occur to Active Directory objects, the changes are initially saved to the transaction log before they are written to the Active Directory database.
  • log: This is auxiliary transaction logs that can be used in cases where the primary Edb.log file fills up prior to it being written to the Ntds.dit Active Directory database.
  • chk: Edb.chk is a checkpoint file that is used by the transaction logging process.
  • Res log files: These are reserve log files whose space is used if insufficient space exists to create the Edbxxxxx.log file.
  • edb: Temp.edb contains information on the transactions that are being processed.
  • ini: The Schema.ini file is used to initialize the Ntds.dit Active Directory database when a domain controller is promoted.

Q.What is LDAP? Answer: The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs directly over the TCP/IP stack. The information model (both for data and namespaces) of LDAP is similar to that of the X.500 OSI directory service, but with fewer features and lower resource requirements than X.500. Unlike most other Internet protocols, LDAP has an associated API that simplifies writing Internet directory service applications. The LDAP API is applicable to directory management and browser applications that do not have directory service support as their primary function. LDAP cannot create directories or specify how a directory service operates. active directory interview questions