Windows Server 2003 Active Directory and

Security questions
By admin | December 7, 2003
1. What’s the difference between local, global and universal groups? Domain local groups assign
access permissions to global domain groups for local domain resources. Global groups provide access to
resources in other trusted domains. Universal groups grant access to resources in all trusted domains.
2. I am trying to create a new universal user group. Why can’t I? Universal groups are allowed only in
native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be
promoted to Windows Server 2003 Active Directory.
3. What is LSDOU? It’s group policy inheritance model, where the policies are applied toLocal
machines, Sites, Domains and Organizational Units.
4. Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exist, it has the highest
priority among the numerous policies.
5. Where are group policies stored? %SystemRoot%System32\GroupPolicy
6. What is GPT and GPC? Group policy template and group policy container.
7. Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
8. You change the group policies, and now the computer and user settings are in conflict. Which
one has the highest priority? The computer settings take priority.
9. You want to set up remote installation procedure, but do not want the user to gain access
over it. What do you do? gponame–> User Configuration–> Windows Settings–> Remote Installation
Services–> Choice Options is your friend.
10. What’s contained in administrative template conf.adm? Microsoft NetMeeting policies
11. How can you restrict running certain applications on a machine? Via group policy, security
settings for the group, then Software Restriction Policies.
12. You need to automatically install an app, but MSI file is not available. What do you
do? A .zap text file can be used to add applications using the Software Installer, rather than the Windows
Installer.
13. What’s the difference between Software Installer and Windows Installer? The former has fewer
privileges and will probably require user intervention. Plus, it uses .zap files.
14. What can be restricted on Windows Server 2003 that wasn’t there in previous
products? Group Policy in Windows Server 2003 determines a users right to modify network and dial-up
TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network
configuration parameters.
15. How frequently is the client policy refreshed? 90 minutes give or take.
16. Where is secedit? It’s now gpupdate.
17. You want to create a new group policy but do not wish to inherit. Make sure you check Block
inheritance among the options when creating the policy.
18. What is "tattooing" the Registry? The user can view and modify user preferences that are not stored in
maintained portions of the Registry. If the group policy is removed or changed, the user preference will
persist in the Registry.
19. How do you fight tattooing in NT/2000 installations? You can’t.
20. How do you fight tattooing in 2003 installations? User Configuration - Administrative Templates -
System - Group Policy - enable - Enforce Show Policies Only.
21. What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for
users, particularly those who move between workstations or those who must periodically work offline.
22. What’s the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide
no security over locally logged-on users. Only native NTFS provides extensive permission control on both
remote and local files.
23. How do FAT and NTFS differ in approach to user shares? They don’t, both have support for
sharing.
24. Explan the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but
not inherited by files within a folder. However, newly created subfolders will inherit this permission.
25. I have a file to which the user has access, but he has no folder permission to read it. Can he
access it? It is possible for a user to navigate to a file for which he does not have folder permission. This
involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using
My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best
way to start would be to type the full path of a file into Run… window.
26. For a user in several groups, are Allow permissions restrictive or permissive?Permissive, if at
least one group has Allow permission for the file/folder, user will have the same permission.
27. For a user in several groups, are Deny permissions restrictive or permissive?Restrictive, if at
least one group has Deny permission for the file/folder, user will be denied access, regardless of other group
permissions.
28. What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$,
NETLOGON, print$ and SYSVOL.
29. What’s the difference between standalone and fault-tolerant DFS (Distributed File System)
installations? The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a
shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared
resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to
other domain controllers. Thus, redundant root nodes may include multiple connections to the same data
residing in different shared folders.
30. We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the
UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.
31. Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition
Knowledge Table, which is then replicated to other domain controllers.
32. Can you use Start->Search with DFS shares? Yes.
33. What problems can you have with DFS installed? Two users opening the redundant copies of the file
at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file
will be propagated through DFS.
34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a
standalone one.
35. Is Kerberos encryption symmetric or asymmetric? Symmetric.
36. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time
stamp is attached to the initial client request, encrypted with the shared key.
37. What hashing algorithms are used in Windows 2003 Server? RSA Data Security’s Message Digest
5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
38. What third-party certificate exchange protocols are used by Windows 2003 Server? Windows
Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to
exchange CA certificates with third-party certificate authorities.
39. What’s the number of permitted unsuccessful logons on Administrator account? Unlimited.
Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators
group.
40. If hashing is one-way function and Windows Server uses hashing for storing passwords, how
is it possible to attack the password lists, specifically the ones using NTLMv1? A cracker would
 launch a dictionary attack by hashing every imaginable term used for password and then compare the
hashes.
41. What’s the difference between guest accounts in Server 2003 and other editions? More
restrictive in Windows Server 2003.
42. How many passwords by default are remembered when you check "Enforce Password
History Remembered"? User’s last 6 passwords

Active Directory Questions and Answers:

•

Do you have any collection of Interview Questions and interested to share with us!!
Please send that collection to iq@GlobalGuideline.Com along with the category and sub category
information

1 :: Explain Active Directory?

"Active Directory is the directory service used in Windows 2000 Server and is the foundation of
Windows 2000 distributed networks."

The core of Active Directory is a combination of an LDAP server and MIT Kerberos 5 KDC running on a
Windows 2000 server acting as a domain controller that work as a unit to provide authentication ("Who
are you?") and authorization ("What are you allowed to do?") information within a group of interlinked
systems.

Above and beyond that, the LDAP "face" of this structure behaves as an enterprise-wide distributed
database that not only contains Windows-specific information but can be extended to incorporate user-
defined data as well.

The AD is held together by DNS, which is used not only to locate specific machines within the AD but
also to locate which functions of the AD are running on which domain controllers.

2 :: What is Forest?
The term "forest" is used to describe a collection of AD domains that share a single schema for the AD.
All DC's in the forest share this schema and it is replicated in a hierarchical fashion among them. The
preferred model for Windows 2000 AD is to have an organization use a single forest that spans an entire
enterprise.

While not an administrative block by themselves, forests are a major boundary in that only limited
communication is available between forests. For example, it is difficult for a user in one forest to access
a resource in another forest.
It is very difficult to integrate forests at this time because of potential problems reconciling schema
differences between two forests.

3 :: What is Domains in Active Directory?

In Windows 2000, a domain defines both an administrative boundary and a security boundary for a
collection of objects that are relevant to a specific group of users on a network. A domain is an
administrative boundary because administrative privileges do not extend to other domains. It is a
security boundary because each domain has a security policy that extends to all security accounts within
the domain. Active Directory stores information about objects in one or more domains.

Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the
domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain
also can be the parent of one or more child domains, as shown below.

4 :: What is Organizational Units?

OU's have many of the attributes of an NT 4 domain. However, instead of requiring server resources to
create and support, they are a logical construct within the Active Directory so an OU does not have to
support and maintain a domain controller.

OU's are created by an administrator of an AD domain and can be freely named (and renamed). The OU
can then be populated objects of many types including computers, groups, printers, users and other
sub-OU's.

The real power of an OU is that once it is established, the administrator of its "parent" can delegate
administrative authority -- in total or in part -- to any user or group that is in the AD.

When this happens, the designated user/group gains complete administrative authority over all objects
in their OU and thus has all of the rights and abilities that a Windows NT domain administrator would
have as well as some new ones such as the ability to further segment their OU into sub-OU's and
delegate authority over those sub-elements as they see fit.

5 :: What is the Group Policy?

Group Policy is one of the most exciting -- and potentially complex -- mechanisms that the Active
Directory enables. Group policy allows a bundle of system and user settings (called a "Group Policy
Object" or GPO) to be created by an administrator of a domain or OU and have it automatically pushed
down to designated systems.

Group Policy can control everything from user interface settings such as screen background images to
deep control settings in the client such as its TCP/IP configuration and authentication settings. There are
currently over 500 controllable settings. Microsoft has provided some templates as well to provide a
starting point for creating policy objects.

A significant advantage of group policy over the old NT-style policies is that the changes they make are
reversed when the policy no longer applies to a system. In NT 4, once a policy was applied to a system,
removing that policy did not by itself roll back the settings that it imposed on the client. With Windows
2000, when a specified policy no longer applies to a system it will revert to its previous state without
administrative interference.

Multiple policies from different sources can be applied to the same object. For example, a domain might
have one or more domain-wide policies that apply to all systems in the domain. Below that, systems in
an OU can also have policy objects applied to it, and the OU can even be further divided into sub-OU's
with their own policies.

This can create a very complex web of settings so administrators must be very careful when creating
these multiple layers of policy to make sure the end result -- which is the union of all of the applicable
policies with the "closest" policy taking priority in most cases -- is correct for that system. In addition,
because Group policy is checked and applied during the system boot process for machine settings and
again during logon for user settings, it is recommended that GPO's be applied to a computer from no
more than five "layers" in the AD to keep reboot and/or login times from becoming unacceptably long.

Server Support Interview Questions

Date Added
Sorting Options :

Server 2003 Restore Point

How to create restore point in Server 2003?
Latest Answer: Download the file windowsreference.com/files/AddSystemRestore.zip and extract it
Double click on AddSystemRestoreEntries.reg (This will add some values to the registry). Click on Yes to
continue Then insert a Windows XP CD to your CDROM drive. Right ...
Read Answers (1) | Asked by : farhatu
Answer Question Subscribe

Mirrored Volume
How to configure mirrored volume in Windows 2003 server?
Latest Answer: for create mirror volume firstly the disk must be dynamic after that only we able to
create mirror volume. ...
Read Answers (2) | Asked by : suresh262
Answer Question Subscribe

2003 server User's Drive mapping

How can a mapping a user to its directory folder: Meaning i want the user to have access to a drive call
"G"......Thanks
Latest Answer: If you have acess to the domain. go the Active Directory Users and Computers. select
the user-> properties->go to profile-> home folder->connect in the TO field type the drive or folder
path ...
Read Answers (2) | Asked by : Mrcrosado
Answer Question Subscribe
How to find problem in server for taking support of event logs
Latest Answer: To access the Event Viewer, select the Programs | Administrative Tools | Computer
Management from the Start menu. When the Computer Management console loads, navigate through
the console tree to Computer Management (Local) | System Tools | Event Viewer. ...
Read Answers (1) | Asked by : narendra desale
Answer Question Subscribe

Microsoft Outlook Questions

1. What is the difference between Microsoft Outlook and Microsoft Outlook express?2. What is the
default ports number in Outlook for POP3 / HTTP / SMTP? 3. What is the meaning of pst in outlooks and
what
Latest Answer: 1. What is the difference between Microsoft Outlook and Microsoft Outlook express?
Outlook express is the default mail client in Windows. it is less secure & have no option for PST.MS
outlook is very good option for Windows. it has option of PST, so ...
Read Answers (3) | Asked by : khaledp
Answer Question Subscribe

Windows Administration
What are the steps to create a child domain in windows 2003 advance server
Latest Answer: You can create a new child domain under Windows Server 2003 using the steps below: 1.
On the member server, you want to turn into a domain controller, click Start, and click Run and launch
the Active Directory Installation Wizard. Click next and ...
Read Answers (1) | Asked by : najibakhtar
Answer Question Subscribe

Active Directory
Explain about Active Directory & LDAP with industry usage
Latest Answer: An Active Directory is a centralized database where it contains information about objects
like users, groups, computers, printers, OUs, contacts and shared folders. LDAP - Light Weight
Directory Access ProtocolDN-(Distinguished Name), RDN-(Relastive ...
Read Answers (1) | Asked by : lrossi
Answer Question Subscribe

Window's Admin questions

1) What is DNS & DNS Records?2) What is Replication ? 3) how you troubleshoot Replication
problem?4)how u configure Group policy ?5)What is Relay agent?
Latest Answer: dNS ...
Read Answers (1) | Asked by : pearl_guy69
Answer Question Subscribe

What is the use of Terminal Server?

Without having the terminal server installed we can get the desktop of a system on a remote system
through Remote Desktop Connection by enabling remote desktop. Then what is use of Terminal
Service?
Latest Answer: Terminal server is used to get multiple session access to the server via remote desktop
protocol (RDP), And By default all the windows 2000 / 2003 /2008 servers used to get 2 RDP session and
1 console session as built in. So if you want to increase the ...
Read Answers (2) | Asked by : waugh_ananda
Answer Question Subscribe

Tree and Forest

Explain what is meant by a tree and a forest, and how they differ.
Latest Answer: Hi friends, Tree creates two types of Child tree and each and every child
tree creates grand child tree....it's ...
Read Answers (4) | Asked by : ravila23

Best one

Technical Interview Questions – Active Directory

• What is Active Directory?
• What is LDAP?
• Can you connect Active Directory to other 3rd-party Directory Services? Name a few
options.
• Where is the AD database held? What other folders are related to AD?
• What is the SYSVOL folder?
• Name the AD NCs and replication issues for each NC
• What are application partitions? When do I use them
• How do you create a new application partition
• How do you view replication properties for AD partitions and DCs?
• What is the Global Catalog?
• How do you view all the GCs in the forest?
• Why not make all DCs in a large forest as GCs?
• Trying to look at the Schema, how can I do that?
• What are the Support Tools? Why do I need them?
• What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
• What are sites? What are they used for?
• What's the difference between a site link's schedule and interval?
• What is the KCC?
• What is the ISTG? Who has that role by default?
• What are the requirements for installing AD on a new server?
• What can you do to promote a server to DC if you're in a remote location with slow WAN
link?
• How can you forcibly remove AD from a server, and what do you do later? • Can I get user
passwords from the AD database?
• What tool would I use to try to grab security related packets from the wire?
• Name some OU design considerations.
• What is tombstone lifetime attribute?
• What do you do to install a new Windows 2003 DC in a Windows 2000 AD?
• What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
• How would you find all users that have not logged on since last month?
• What are the DS* commands?
• What's the difference between LDIFDE and CSVDE? Usage considerations?
• What are the FSMO roles? Who has them by default? What happens when each one fails?
• What FSMO placement considerations do you know of?
• I want to look at the RID allocation table for a DC. What do I do?
• What's the difference between transferring a FSMO role and seizing one? Which one should
you NOT seize? Why?
• How do you configure a "stand-by operation master" for any of the roles?
• How do you backup AD?
• How do you restore AD?
• How do you change the DS Restore admin password?
• Why can't you restore a DC that was backed up 4 months ago?
• What are GPOs?
• What is the order in which GPOs are applied?
• Name a few benefits of using GPMC.
• What are the GPC and the GPT? Where can I find them?
• What are GPO links? What special things can I do to them?
• What can I do to prevent inheritance from above?
• How can I override blocking of inheritance?
• How can you determine what GPO was and was not applied for a user? Name a few ways to
do that.
• A user claims he did not receive a GPO, yet his user and computer accounts are in the right
OU, and everyone else there gets the GPO. What will you look for?
• Name a few differences in Vista GPOs
• Name some GPO settings in the computer and user parts.
• What are administrative templates?
• What's the difference between software publishing and assigning?
• Can I deploy non-MSI software with GPO?
• You want to standardize the desktop environments (wallpaper, My Documents, Start menu,
printers etc.) on the computers in one department. How would you do that?
• Server Support Interview Questions
Date Added
• Sorting Options :
•
• Windows 2003 Command Line Tools
• What are some of the command-line tools available for managing a Windows 2003
Server/Active Directory environment?
• Latest Answer: CSVDE, LIDFDE, GPupdate ...
• Read Answers (4) | Asked by : ravila23
• Tags : Windows 2003
• Answer Question Subscribe
•
• Role of DNS in Windows 2003
• Explain the role of DNS in Windows 2003 Server.
• Latest Answer: actually DNS name resolution system we not able to remember machines by ip
address we remember they as a computer name and machine dont understand name, it only
understand ip for that perpose we use DNS as a resolution system which mentain this record
...
• Read Answers (3) | Asked by : ravila23
• Tags : Windows 2003
• Answer Question Subscribe
•
• Windows 2003 Server R2
• Describe the changes included with Windows 2003 Server R2.
• Latest Answer: The follwing are the improvements that we find in Windows server 2003 R2:A)
Identity and access managementB) Branch office Server managementC) Storage set-up and
managementD) Application development inside and outside organozational traditional
boundaries.E) ...
• Read Answers (1) | Asked by : ravila23
• Tags : Windows 2003
• Answer Question Subscribe
•
• Active Directory AD Database
• Where is the AD database held? What other folders are related to AD?
• Latest Answer: %systemroot%ntds ...
• Read Answers (2) | Asked by : sarunhere
• Answer Question Subscribe
•
• Active Directory SYSVOL Folder
• What is the SYSVOL folder?
• Latest Answer: The sysVOL folder stores the server's copy of the domain's public files. The
contents such as group policy, users etc of the sysvol folder are replicated to all domain
controllers in the domain. The sysvol folder must be located on an NTFS volume. ...
• Read Answers (3) | Asked by : sarunhere
• Answer Question Subscribe
•
• Transferring Domain controller to another Windows 2003 server to make
Domain controller
• Hi all,I have one DC running on Windows 2003 with its objects, but now i want to transfer it to
another machine, without having changing from previous system's permission and object
resources. ????
• Latest Answer: As your 1st DC would be GCSOn a new machine of win 2003 make an ADC
(Additional domain controller) by Typing dcpromo in RUN and following the instructions.When
your ADC will be made on new Win 2003 machine thenGo to command mode of GCS and from
cmd ...
• Read Answers (6) | Asked by : vravis
• Tags : Windows 2003
• Answer Question Subscribe
•
• Windows 2003 Server Policy and Organizational unit
• how to create a policy and organizational unit in windows 2003 server?how to apply users to
the policy and organizational unit in windows 2003 server
• Latest Answer: to create an OU in active directory users and computers you would right click
your domain and select new then OU name it what you want....to create or assign a GPO to
said OU you can right click the OU and selct properties then select the group policy ...
• Read Answers (2) | Asked by : johnnytawil
• Tags : Windows 2003
• Answer Question Subscribe
•
• What is meant by active directory?
• Latest Answer: Active directory is a directory service / database which contains all the
information related as part of domain. Like server / computer / users / groups and etc. All the
entities are part of domain are call it as objects. So this ADS service will relate ...
• Read Answers (5) | Asked by : umj5782
• Answer Question Subscribe
•
• How to configure Microsoft Exchange in windows 2000 server
• Latest Answer: Assuming this will be the First Exchange install.Make sure that Windows 2000
Server is part of the Active Directory.We have proper reposne for the nslookup from this
box.Install IIS along with the components SMTP & NNTP.Decide with the database and ...
• Read Answers (1) | Asked by : Rukmangathan
• Tags : Windows 2000
• Answer Question Subscribe
•
• Server and Protocol Questions
• Which protocol does ADS require?What is the scope of DHCP server?What is the difference
between 2000 Server and 2003 Server?What is the difference between domain and domain
name server?How does a protocol
• Latest Answer: Q. Which protocol does ADS require?Answer: LDAP for directory sercices and
kerberos for Authentication.Q.What is the scope of DHCP server?Answer: Scope determines
which IP addresses are provided to the clients. Scopes should be defined and must be
activated ...
• Read Answers (3) | Asked by : ismail
• Server Support Interview Questions
Date Added
• Sorting Options :
•
• What is VSS and What is its functionality?What is CVS and What is its
functionality?
• Latest Answer: VSS - Visual Source Safe (from MS)CVS - Content Versions System (opensource)In
a nutshell, both of these keep track of all work and all changes done in a set of files (e.g.
application source code), and allows several developers to collaborate. ...
• Read Answers (1) | Asked by : SIVAKUMAR
• Answer Question Subscribe
•
• What are the different version in Windows 2003 and the differences
between them
• Hi to all!!! I am currently finishing getting my degree as a Network Security
Professional/Administrator. I am working with a book "Network + Guide to Networking, 4th
Edition by Tamara Banks. I am
• Latest Answer: sorry for so late reply..i jus checked it today...Yes , You would need to install
each different Edition ...
• Read Answers (1) | Asked by : b.adams0620
• Tags : Windows 2003
• Answer Question Subscribe
•
• What is the advantage of using application server?
• Latest Answer: To access many services like mail service ...
• Read Answers (2) | Asked by : gvp.java