Active Directory
>What is Active Directory ?
Active Directory is a Meta Data. Active Directory is a data base which store a data base like your user information, computer information and also other network object info. It has capabilities to manage and administor the complite Network which connect with AD.
>What is Active Directory ?
Active Directory is a Meta Data. Active Directory is a data base which store a data base like your user information, computer information and also other network object info. It has capabilities to manage and administor the complite Network which connect with AD.
>
What is Active Directory Domain Services ?
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to AD DS, but the information is also applicable to Active Directory.
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to AD DS, but the information is also applicable to Active Directory.
>What is domain ?
A domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The 'domain' is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469.
>What is domain controller ?
A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.
>What is LDAP ?
Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.
>What is KCC ?
KCC ( knowledge consistency checker ) is used to generate replication topology for inter site replication and for intrasite replication.with in a site replication traffic is done via remote procedure calls over ip, while between site it is done through either RPC or SMTP.
>Where is the AD database held? What other folders are
related to AD?
The AD data base is store in c:\windows\ntds\NTDS.DIT.
>What is the SYSVOL folder?
The sysVOL folder stores the server's copy of the domain's public files. The contents such as group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain.
> What is the Netlogon folder use for?
Sysvol is an important component of Active Directory. The Sysvol folder is shared on an NTFS volume on all the domain controllers in a particular domain. Sysvol is used to deliver the policy and logon scripts to domain members.
By default sysvol includes 2 folders,the scripts folder is
shared with the name NETLOGON
1.Policies - (Default location - %SystemRoot%\Sysvol\Sysvol\domain_name\Policies)
2.Scripts - (Default lcation - %SystemRoot%\Sysvol\Sysvol\domain_name\Scripts)
1.Policies - (Default location - %SystemRoot%\Sysvol\Sysvol\domain_name\Policies)
2.Scripts - (Default lcation - %SystemRoot%\Sysvol\Sysvol\domain_name\Scripts)
>What are the difference between Enterprise Admins and
Domain Admins groups in AD ?
Enterprise Admins : Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users with caution.
Enterprise Admins : Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users with caution.
Domain Admins : Members of
this group have full control of the domain. By default, this group is a member
of the Administrators group on all domain controllers, all domain workstations,
and all domain member servers at the time they are joined to the domain. By
default, the Administrator account is a member of this group. Because the group
has full control in the domain, add users with caution.
>Where are the Windows NT Primary Domain Controller (PDC)
and its Backup Domain Controller (BDC) in Server 2003 ?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.
>I am trying to create a new universal user group. Why
can’t I ?
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.
>What is LSDOU ?
It’s group policy inheritance model, where the policies
are applied toLocal machines, Sites, Domains
and Organizational Units.
>Why doesn’t LSDOU work under Windows NT ?
If the NTConfig.pol file exist, it has the highest priority among the numerous policies.
>What’s the number of permitted unsuccessful logons on
Administrator account? Unlimited. Remember,
though, that it’s the Administrator account, not any account that’s part of the
Administrators group.
> What’s the difference between guest accounts in Server
2003 and other editions?
More restrictive in Windows Server 2003.
> How many passwords by default are remembered when you
check "Enforce Password History Remembered"?
User’s last 6 passwords.
> Can GC Server and Infrastructure place in single server
If not explain why ?
No, As Infrastructure master does the same job as the GC. It does not work together.
No, As Infrastructure master does the same job as the GC. It does not work together.
> Which is service in your windows is responsible for
replication of Domain controller to another domain controller.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.
> What Intrasite and Intersite Replication ?
Intrasite is the replication with in the same site & intersite the replication between sites.
Intrasite is the replication with in the same site & intersite the replication between sites.
> What is lost & found folder in ADS ?
It’s the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.
It’s the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.
> What is Garbage collection ?
Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours.
Garbage collection is the process of the online defragmentation of active directory. It happens every 12 Hours.
> What System State data contains ?
Contains Startup files,
Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder
Contains Startup files,
Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder
Question:-What
is the family of Windows NT?
Windows NT
Workstation (Desktop)
Windows NT 4.0 server
(Server)
Windows NT4.0
Enterprise server (Server)
Question:-What is the
family of Windows 2000?
Windows 2000
Professional (Desktop Operating System)
Windows 2000 Server
(Server Operating System)
Window 2000 Advanced
Server (Server Operating System)
Windows 2000 Data
center Server (Server Operating System)
Question:-
What is the family of Windows 2003 family?
Windows Server 2003,
Web Edition
Windows Server 2003,
Standard Edition
Windows Server 2003,
Enterprise Edition
Windows server 2003,
Data center Edition
Question:-
What is the family of windows 2008 family?
Windows Server 2008
R2 Foundation
Windows Server 2008
R2 Standard
Windows Server 2008
R2 Enterprise
Windows Server 2008
R2 Datacenter
Windows Server 2008
R2 Web server
Windows HPC Server
2008 R2 Suite
Windows Server 2008
R2 for Itanium-Based Systems
Question:-What
is the Difference between Desktop and Server?
Regular computers
usually run some flavor of Windows, like XP or Vista. Macs of course run Mac
software (OS X), and there are also open source desktop alternatives such as
Linux.
Servers generally run
more powerful operating systems that can handle networking, email,
internet/intranet hosting, file sharing, databases, and more. Windows Server
and Windows Small Business Server are quite popular in small and mid-size
businesses. Mac offers OS X Server if you want to run your entire network on
Macs.
The second major
difference between computers and servers: better hardware. If a desktop goes
down, it impacts a single person. If a server goes down, it can easily impact
dozens, even hundreds of people at once. In server you can implement RAID at
hardware and Software Raid fault tolerance and riddance.
Question:
– What is the difference between a Workgroup and domain controller?
A workgroup is a
distributed directory maintained on each computer with the workgroup with same
workgroup name. A domain is a centralized directory of resources maintained on
domain controllers and presented to the user through Active directory services
so the user can get login from a single server.
Question:
– What is a Stand-alone computer or server?
A computer that
belongs to workgroup, not a domain is called a standalone server?
Question:-
What is a Member server?
Member server is
which belong to domain but do not contain a copy of the Active Directory data.
And it is not
configured as a domain controller. A member server doesn’t store Active
directory information and can’t authenticate users. Member server can
provide share resources such as share folder share Driver or Printers.
Question:
-What is Active Directory?
Active Directory is a
technology created by Microsoft that provides a variety of network
services, and database that holds information about component locations,
users, groups, passwords, security, Printers, computers, Group policy and other
COM information. Some of this information is currently stored in the Registry,
but will eventually (with Windows 2008) be moved to the Active Directory.
Question:-What
roles does a Main Domain Controller will have by default?
By Default there are
Five operation master roles :-
Schema maser
Domain Naming Master
PDC Emulator
Relative Identifier
Master (RID)
Infrastructure Master
Question:-
What are the roles an Additional Domain controller Will have by Default?
By default you cannot
get any role. But if you want to assign any role you can transfer from master.
Question:-
What are the roles a Main Child Domain Controller will have by default?
By default the FSMO
roles the Child DC is having are
PDC Emulator
Relative Identifier
(RID)
Infrastructure Master
Question:-Explain
the FSMO roles and their activities?
Answer: The domain
Operations Master Roles also known as FSMO roles, are the core foundations of
the Active Directory infrastructure.
In each Active
Directory domain we have five FSMO roles that can be assigned to one server or
multiple servers.
These are the five
FSMO Roles:
Schema
Master
Controls updates and
changes to our Active Directory schema.
The domain naming
master domain controller controls the addition or removal of domains in the
forest. This DC is the only one that can add or remove a domain from the
directory. It can also add or remove cross references to domains in external
directories. There can be only one domain naming master in the whole forest.
To find out which
server hold this role issue the following command:
dsquery server
–hasfsmo schema
Domain
Naming Master
Controls new addition
and removal of domains in the AD forest.
The domain naming
master domain controller controls the addition or removal of domains in the
forest. This DC is the only one that can add or remove a domain from the
directory. It can also add or remove cross references to domains in external
directories. There can be only one domain naming master in the whole forest.
To find out which
server hold this role issue the following command:
dsquery server
–hasfsmo name
Relative
ID Master
Assigns security ID
to each new object created in Active Directory like user, server, group, etc
The RID master is
responsible for processing RID pool requests from all domain controllers in a
particular domain. When a DC creates a security principal object such as a user
or group, it attaches a unique Security ID (SID) to the object. This SID
consists of a domain SID (the same for all SIDs created in a domain), and a
relative ID (RID) that is unique for each security principal SID created in a
domain. Each DC in a domain is allocated a pool of RIDs that it is
allowed to assign to the security principals it creates. When a DC’s allocated
RID pool falls below a threshold, that DC issues a request for additional RIDs
to the domain’s RID master. The domain RID master responds to the request by
retrieving RIDs from the domain’s unallocated RID pool and assigns them to the
pool of the requesting DC. At any one time, there can be only one domain
controller acting as the RID master in the domain.
To find out which
server hold this role issue the following command:
dsquery server
–hasfsmo rid
PDC
Emulator
Acts as the default
time server for the domain and performs time sync with other time servers if
needed.
The PDC emulator is
necessary to synchronize time in an enterprise. Windows 2000/2003 includes the
W32Time (Windows Time) time service that is required by the Kerberos
authentication protocol. All Windows 2000/2003-based computers within an
enterprise use a common time. The purpose of the time service is to ensure that
the Windows Time service uses a hierarchical relationship that controls
authority and does not permit loops to ensure appropriate common time usage.
The PDC emulator of a
domain is authoritative for the domain. The PDC emulator at the root of the
forest becomes authoritative for the enterprise, and should be configured to
gather the time from an external source. All PDC FSMO role holders follow the
hierarchy of domains in the selection of their in-bound time partner.
In a Windows
2000/2003 domain, the PDC emulator role holder retains the following functions:
·
Password
changes performed by other DCs in the domain are replicated preferentially to
the PDC emulator.
·
Authentication
failures that occur at a given DC in a domain because of an incorrect password
are forwarded to the PDC emulator before a bad password failure message is
reported to the user.
·
Account
lockout is processed on the PDC emulator.
·
Editing
or creation of Group Policy Objects (GPO) is always done from the GPO copy
found in the PDC Emulator’s SYSVOL share, unless configured not to do so by the
administrator.
·
The
PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0
Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier
clients.
This part of the PDC
emulator role becomes unnecessary when all workstations, member servers, and
domain controllers that are running Windows NT 4.0 or earlier are all upgraded
to Windows 2000/2003. The PDC emulator still performs the other functions as
described in a Windows 2000/2003 environment.
At any one time,
there can be only one domain controller acting as the PDC emulator master in
each domain in the forest.
To find out which
server hold this role issue the following command:
dsquery server
–hasfsmo pdc
Infrastructure
Master
Makes sure all
objects references are up to data on all domain controllers and if not
replicates the data.
When an object in one
domain is referenced by another object in another domain, it represents the
reference by the GUID, the SID (for references to security principals), and the
DN of the object being referenced. The infrastructure FSMO role holder is the
DC responsible for updating an object’s SID and distinguished name in a cross-domain
object reference. At any one time, there can be only one domain controller
acting as the infrastructure master in each domain.
Note: The
Infrastructure Master (IM) role should be held by a domain controller that is
not a Global Catalog server (GC). If the Infrastructure Master runs on a Global
Catalog server it will stop updating object information because it does not
contain any references to objects that it does not hold. This is because a
Global Catalog server holds a partial replica of every object in the forest. As
a result, cross-domain object references in that domain will not be updated and
a warning to that effect will be logged on that DC’s event log. If all the
domain controllers in a domain also host the global catalog, all the domain controllers
have the current data, and it is not important which domain controller holds
the infrastructure master role.
To find out which
server hold this role issue the following command:
dsquery server
–hasfsmo infr
Question:-What
are the roles must be on the same server?
Domain Naming Master
and Global catalogue
Question:-What
are the roles should not on the same Domain Controller?
Infrastructure Master
and Global Catalogue
Note: If you have
only one domain then you won’t get any problem even if you have both of them in
the same server. If you have two of more domains in a forest then they
shouldn’t be in the same server.
Question:-What
is a Global Catalogue?
The global catalog is
the set of all objects in an Active Directory Domain Services (AD DS)
forest. A global catalog server is a domain controller that stores a full copy
of all objects in the directory for its host domain and a partial, read-only
copy of all objects for all other domains in the forest. Global catalog servers
respond to global catalog queries.
Question:-How
to check the above roles to which server they have assigned?
Install support tools
from Widows server CD
At command prompt
type “netdom quary fsmo”
Question:-How
to start/stop a service from command prompt?
Open command prompt
type
“Net start
service name” (To start a service)
“Net Stop
service name” (To stop a service)
Question:-What
are the file system we have in windows?
FAT/FAT16/FAT32/NTFS
4.0 /NTFS 5.0
Question:- How to
convert from FAT to NTFS?
Convert drive
/fs:ntfs
Question:-What
is a forest?
Collection of one or
more domain trees that do not form a contiguous namespace. Forests allow
organizations to group divisions that operate independently but still
need to communicate with one another.
All trees in a forest
share common schema, configuration partitions and Global Catalog. All trees in
a give forest trust each other with two way transitive trust relations
Question:-
What is Domain?
A group of computers
that are part of a network and shares a common directory and security policies.
In Windows server 2008 a domain is a security boundary and permissions that are
granted in one domain are not carried over to other domains.
Question:-
What is a fully Qualified Domain name?
Hostname.domainname.com
is known as FQDN
Question:-How
many types of partitions are there in Windows?
There are Two types
of partitions there:-
Primary Partition
Extended Partition.
Question:-What
is the difference between primary and secondary partition?
A Primary partition
or system partition is one on which you can install the files needed to load an
operating system.
Question:-
How many partition can you create maximum. How many primary and how many
extended?
Maximum we can create
four partitions in basic disk. Among that we can create maximum One extended
partition. You can create four primary partitions if you do not have extended.
Question:-What is a
volume?
Disk
Volume is a way of dividing your Physical Disk so that each section functions
as a separate unit.
Question:-How
many types of volumes are there?
There are 5 types of
volumes
Simple
Spanned
Striped (also called
RAID 0)
Mirror (also called
RAID 1)
RAID 5 (also called
striped volumes with parity)
Question:-What is the
difference between partition and volume?
You have limitations
on number of partitions.
You don’t have
limitations on number of volumes.
You cannot extend the
size of a partition.
You can extend the
size of a volume.
Question:-what
is active partition?
The partition in
which your current Operating System boob files are there.
Question:- What is
system volume and boot volume?
The system volume is
the one in which your boot files are there.
Whatever partition is
marked as active that partition is called system partition.
The boot volume is
the one in which your system files are there.
Question:-What
are Unicast, Multicast and Broad cast?
Unicast:
Just from one computer to one computer.
Multicast:
Those who ever register for a particular multicast group to those only.
Broadcast:
To all the computers.
>What is
difference between Server 2003 vs 2008?
1. Virtualization.
(Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on
64bit versions. More and more companies are seeing this as a way of reducing
hardware costs by running several ‘virtual’ servers on one physical machine.)
2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server)
3. Better security.
4. Role-based installation.
5. Read Only Domain Controllers (RODC).
6. Enhanced terminal services.
7. Network Access Protection – Microsoft’s system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies.
8. Power Shell – Microsoft’s command line shell and scripting language has proved popular with some server administrators.
9. IIS 7.
10. Bit locker – System drive encryption can be a sensible security measure for servers located in remote branch offices. The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers.
11. Windows Aero.
2. Server Core (provides the minimum installation required to carry out a specific server role, such as for a DHCP, DNS or print server)
3. Better security.
4. Role-based installation.
5. Read Only Domain Controllers (RODC).
6. Enhanced terminal services.
7. Network Access Protection – Microsoft’s system for ensuring that clients connecting to Server 2008 are patched, running a firewall and in compliance with corporate security policies.
8. Power Shell – Microsoft’s command line shell and scripting language has proved popular with some server administrators.
9. IIS 7.
10. Bit locker – System drive encryption can be a sensible security measure for servers located in remote branch offices. The main difference between 2003 and 2008 is Virtualization, management. 2008 has more in-build components and updated third party drivers.
11. Windows Aero.
>What are the
requirements for installing AD on a new server?
1 The Domain structure.
2 The Domain Name.
3 storage location of the database and log file.
4 Location of the shared system volume folder.
5 DNS config Method.
6 DNS configuration.
1 The Domain structure.
2 The Domain Name.
3 storage location of the database and log file.
4 Location of the shared system volume folder.
5 DNS config Method.
6 DNS configuration.
>What is LDP?
LDP: Label
Distribution Protocol (LDP) is often used to establish MPLS LSPs when traffic
engineering is not required. It establishes LSPs that follow the existing IP
routing, and is particularly well suited for establishing a full mesh of LSPs
between all of the routers on the network.
>What are the
Groups types available in active directory ?
Security groups: Use
Security groups for granting permissions to gain access to resources. Sending
an e-mail message to a group sends the message to all members of the group.
Therefore security groups share the capabilities of distribution groups.
Distribution
groups: Distribution groups are used for sending e-main messages to groups
of users. You cannot grant permissions to security groups. Even though security
groups have all the capabilities of distribution groups, distribution groups
still requires, because some applications can only read distribution groups.
>Explain about
the groups scope in AD?
Domain Local
Group: Use this scope to grant permissions to domain resources that are
located in the same domain in which you created the domain local group. Domain
local groups can exist in all mixed, native and interim functional level of
domains and forests. Domain local group memberships are not limited as you can
add members as user accounts, universal and global groups from any domain. Just
to remember, nesting cannot be done in domain local group. A domain local group
will not be a member of another Domain Local or any other groups in the same
domain.
Global Group:
Users with similar function can be grouped under global scope and can be given
permission to access a resource (like a printer or shared folder and files)
available in local or another domain in same forest. To say in simple words,
Global groups can be use to grant permissions to gain access to resources which
are located in any domain but in a single forest as their memberships are
limited. User accounts and global groups can be added only from the domain in
which global group is created. Nesting is possible in Global groups within
other groups as you can add a global group into another global group from any domain.
Finally to provide permission to domain specific resources (like printers and
published folder), they can be members of a Domain Local group. Global groups
exist in all mixed, native and interim functional level of domains and forests.
Universal Group
Scope: These groups are precisely used for email distribution and can be
granted access to resources in all trusted domain as these groups can only be
used as a security principal (security group type) in a windows 2000 native or
windows server 2003 domain functional level domain. Universal group memberships
are not limited like global groups. All domain user accounts and groups can be
a member of universal group. Universal groups can be nested under a global or
Domain Local group in any domain.
88
>What is the port no of Global catalog ?
3268
>What is the port no of LDAP ?
389
>Explain Active Directory Schema ?
Windows 2000 and Windows Server 2003 Active Directory uses a database set of rules called “Schema”. The Schema is defines as the formal definition of all object classes, and the attributes that make up those object classes, that can be stored in the directory. As mentioned earlier, the Active Directory database includes a default Schema, which defines many object classes, such as users, groups, computers, domains, organizational units, and so on.
These objects are also known as “Classes”. The Active Directory Schema can be dynamically extensible, meaning that you can modify the schema by defining new object types and their attributes and by defining new attributes for existing objects. You can do this either with the Schema Manager snap-in tool included with Windows 2000/2003 Server, or programmatically.
>How can you forcibly remove AD from a server, and what do you do later? ? Can I get user passwords from the AD database?
Dcpromo /forceremoval , an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest. Reboot the server then After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command.
In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe utility to manually remove the NTDS Settings object. You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers
>What are the FSMO roles? Who has them by default? What happens when each one fails?
Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master
>What is domain tree ?
Domain Trees: A domain tree comprises several domains that share a common schema and configuration, forming a contiguous namespace. Domains in a tree are also linked together by trust relationships. Active Directory is a set of one or more trees.
Trees can be viewed two ways. One view is the trust relationships between domains. The other view is the namespace of the domain tree.
>What is forests ?
A collection of one or more domain trees with a common schema and implicit trust relationships between them. This arrangement would be used if you have multiple root DNS addresses.
>How to Select the Appropriate Restore Method ?
You select the appropriate restore method by considering:
Circumstances and characteristics of the failure. The two major categories of failure, From an Active Directory perspective, are Active Directory data corruption and hardware failure.
Active Directory data corruption occurs when the directory contains corrupt data that has been replicated to all domain controllers or when a large portion of the Active Directory hierarchy has been changed accidentally (such as deletion of an OU) and this change has replicated to other domain controllers.
>How will you take Active Directory backup ?
Active Directory is backed up along with System State data. System state data includes Local registry, COM+, Boot files, NTDS.DIT and SYSVOL folder. System state can be backed up either using Microsoft’s default NTBACKUP tool or third party tools such as Symantech NetBackup, IBM Tivoli Storage Manager etc.
> Do we use clustering in Active Directory ? Why ?
No one installs Active Directory in a cluster. There is no need of clustering a domain controller. Because Active Directory provides total redundancy with two or more servers.
> What is Active Directory Recycle Bin ?
Active Directory Recycle bin is a feature of Windows Server 2008 AD. It helps to restore accidentally deleted Active Directory objects without using a backed up AD database, rebooting domain controller or restarting any services.
> How do you check currently forest and domain functional levels? Say both GUI and Command line.
To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain name and take properties. Both domain and forest functional levels will be listed there. TO find out forest and domain functional levels, you can use DSQUERY command.
> Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory ?
All versions of Windows Server Active Directory use Kerberos 5.
> Name few port numbers related to Active Directory ?
Kerberos 88, LDAP 389, DNS 53, SMB 445
> What is an FQDN ?
FQDN can be expanded as Fully Qualified Domain Name.It is a hierarchy of a domain name system which points to a device in the domain at its left most end. For example in system.
> Have you heard of ADAC ?
ADAC- Active Directory Administrative Center is a new GUI tool came with Windows Server 2008 R2, which provides enhanced data management experience to the admin. ADAC helps administrators to perform common Active Directory object management task across multiple domains with the same ADAC instance.
> How many objects can be created in Active Directory? (both 2003 and 2008)
As per Microsoft, a single AD domain controller can create around 2.15 billion objects during its lifetime.
> Explain the process between a user providing his Domain credential to his workstation and the desktop being loaded? Or how the AD authentication works ?
When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm. The KDC looks up the user’s master key (KA), which is based on the user’s password. The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows. The client computer receives the information from the KDC and runs the user’s password through a one-way hashing function, which converts the password into the user’s KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.
No comments:
Post a Comment