1Q. What is your daily task being a Windows Admin?
|
Daily tasks:
|
|
|
[]
|
Perform scheduled backups (if configured).
|
|
[]
|
Check usage levels.
|
|
[]
|
Check for runaway processes.
|
|
|
|
|
[]
|
Check disk space.
|
|
[]
|
Check mail functionality, connections.
|
|
[]
|
Check printer status with lpstat -t.
|
|
[]
|
Check auditing output, if activated.
|
|
[]
|
Check UUCP communications links, if active.
|
|
[]
|
Check for unattended login sessions.
|
2Q. What is PDC emulator?
PDC Emulator is one of the Domain wide FSMO
role. It is also one of the most important role. Here is the task list managed
by PDC:
(a)
Backward compatibility with NT 4.0
(b)
It synchronizes time with the help of NTP (Network Time
Protocol, Port No. 123) with DC. As per Microsoft we cannot accept more than 22
seconds delay between DC and client machines.
(c)
Account related information like Account lockout,
Password Expired, password Changes etc. are managed by PDC.
(d)
Group policy is managed by PDC. SYSVOL folder contains
Domain wide group policy that is shared between DCs.
(e)
All login scripts is managed by PDC.
3Q. What is GPO?
It is a set of rules which is used to
manage Domain Environment like User and Computer configuration.
There are two types of policy Local
computer policy and Domain policy.
Creation of policy- Local computers, Site,
Domain, OU (LSDOU)
Applicable policy- OU, Domain, Site, Local
computer (OUDSL)
4Q. What is SYSVOL?
SYSVOL folder contains Domain wide group
policy that is shared between DCs. It requires NTFS partition and it replicates
with other DCs with the help of File Replication service in windows 2003
server. In windows server 2008, DFSR is
responsible to replicate SYSVOL folder and SYSVOL folder is known as
SYSVOL_DFSR.
5Q. What is command to see cluster log?
(a) Use the cluster /log /g command at the command prompt. This
command generates the cluster logs to the \windows\cluster\reports directory on
each WSFC node. The advantage of this method is that you can specify the level
of detail in the generated logs by using the /level option. The disadvantage is that you
cannot specify the destination directory for the generated cluster logs
(b) Use the Get-ClusterLog PowerShell cmdlet. The advantage of this
method is that you can generate the cluster log from all nodes to one
destination directory on the node that you run the cmdlet. The disadvantage is
that you cannot specify the level of detail in the generated logs
6Q. How to demote a server without running DCPROMO?
If DCPROMO fails to demote DC then we can
do metadata cleanup.
There are three ways to perform Metadata
cleanup:
- Clean
up server metadata by using GUI tools
- Clean
up server metadata using the command line
- Clean
up server metadata by using a script
- http://msexchangeteam.in/metadata-cleanup-unsuccessful-demotion-of-domain-controller/
7Q. How to map shared drive for users from server?
We can use Group Policy to map shared drive
for users. We can create a new OU and move all users those wants access for
that shared drive and assign group policy User Configuration\Preferences\Windows
settings\Drive Maps and follow the wizard to provide shared folder path and put
a check mark show this drive. Run gpupdate /force to apply this policy and user
will be able to access without any error after reboot/log off.
8Q. What is Home Folders?
A home folder is a
private network location where users can store personal files.
It is stored in a shared folder on a network server. When you create the home
folder on a network server, users can access it from any
computer on the network.
Assign a home folder to a domain user
Note: To specify a network path for the home folder, you must
first create the network share and set permissions that permit the user access.
You can do this with Shared Folders in Computer Management on the server
computer.
To assign a home folder to a domain user:
1.
Click Start, point to Programs,
point to Administrative Tools,
and then click Active Directory Users and
Computers.
2.
In the console tree, click Users.
3.
In the Details pane, right-click the user account,
and then click Properties.
4.
In the Properties dialog box, click Profile.
5.
Under the Home folder, type the folder information.
To do this, follow these steps:
a.
To assign a home folder on a network server, click Connect,
and then specify a drive letter.
b.
In the To box, type a path. This path can be any
one of the following types:
·
Network path, for example:
\\server\users\tester
·
You can substitute username for the last subfolder in the path,
for example:
\\server\users\username
6.
Note In these examples, server is the name of the file server housing
the home folders, and users is the shared folder.
7.
Click OK.
9Q. What are different types of groups? What is Group scope
and what are the different types of group scopes?
There are two types of groups- Security
Groups and Distribution Groups
Security
Groups: Security groups are used to group domain users into a single
administrative unit. Security groups can be assigned permissions and can also
be used as e-mail distribution lists. Users placed into a group inherit the
permissions assigned to the group for as long as they remain members of that
group. Windows itself uses only security groups.
Distribution groups: These are used to nonsecurity purposes
by applications other than Windows. One of the primary uses is within an
e-mail.
As with user accounts, there are both local and domain-level
groups. Local groups are stored in a local computer’s security database and are
intended to control resources access on that computer. Domain groups are stored
in Active Directory and let you gather users and control resources access in a
domain and on domain controllers.
Groups Scope: Group scopes determine where in the Active
Directory forest a group is accessible and what objects can be placed into the
group.
There are three different
group scopes; domain local, global and universal. The scope decides who can be
member of the group and where the group can be used. These are the three group
scopes and a "Can Contain Matrix" for each:
1. Domain Local Groups:
These groups are only visible in their own domain. For that reason, domain
Local Security groups can be used to grant rights and permissions only on
resources that reside in the same domain where the domain local group is
located. Domain local groups can contain domain local groups only from the same
domain, but users, computers and all other group-types from the same domain and
trusted domains (all domains in the forest). Use domain local groups for
assigning permissions to resources in their home domain.
CAN CONTAIN: Domain Local
Groups from the own domain, Global Groups from trusted domains and any domain
in the forest, Universal groups from trusted domains and any domain in the
forest.
2. Global Groups: These
groups are visible through-out the forest, but can only contain accounts and
global groups from the same domain. The group itself can be a member of
universal and domain local groups in any domain, and global groups of its own
domain. The groups should be used to organize users who share the same job
tasks or department etc. You should not assign permissions directly to global
groups – domain local groups are more appropriate for that.
CAN CONTAIN: Global Groups
from the OWN domain.
3. Universal groups: These
groups are visible through-out the forest and can contain accounts, global
groups and other universal groups from any domain in the forest (they cannot
contain domain local groups). Universal groups should be used to nest global
groups. By doing that, the group can assign permissions to resources in
multiple domains.
CAN CONTAIN: Global Groups
from any domain in the forest, Universal Groups from any domain in the forest.
Q. What
is cost?
Site link cost can be used to determine
which domain controller is contacted by clients located in one site if the
domain controller for the specified domain does not exist at that site. The
client contacts the domain controller by using the site link that has the
lowest cost assigned to it.
It is recommended that the cost value be
defined on a site-wide basis. Cost is usually based not only on the total
bandwidth of the link but also on the availability, latency, and monetary cost
of the link. https://technet.microsoft.com/en-us/library/cc782827(v=ws.10).aspx
1Q. Why
do we need to authorize DHCP?
If the DHCP server is
not authorized, it will not lease IP addresses to DHCP clients. When
configured correctly and authorized for use on a network, Dynamic Host
Configuration Protocol (DHCP) servers provide a useful administrative service.
However, a misconfigured or unauthorized DHCP server can cause problems. For
example, if an unauthorized DHCP server starts, it might begin either leasing
incorrect IP addresses to clients or negatively acknowledging DHCP clients that
attempt to renew current address leases. To resolve these issues, DHCP servers
are verified as authorized in Active Directory Domain Services before they can
service clients and unauthorized, or rogue, servers are detected. This prevents
most of the accidental damage caused by either misconfigured DHCP servers or
correctly configured DHCP servers running on the wrong network. To authorize a DHCP
server in AD DS
1.
Click Start, point to Administrative
Tools and then
click DHCP
2.
In the console tree, click DHCP
3.
On the Action menu, click Manage
authorized servers.The Manage Authorized Servers dialog box appears.
4.
Click Authorize.
5.
When prompted, type the name or IP address of the DHCP server to
be authorized, and then click OK.
1Q. What
is command for replication? Give some example.
Repadmin /kcc - Forces
the Knowledge Consistency Checker (KCC) on each targeted domain controller to
immediately recalculate the inbound replication topology.
Repadmin /prp - Lists
and modifies the Password Replication Policy (PRP) for read-only domain
controllers (RODCs).
Repadmin /queue - Displays
inbound replication requests that the domain controller has to issue to become
consistent with its source replication partners.
Growth in the number of
items in the queue of an online domain controller can be caused by any of the
following factors:
- Too many
concurrent replication partners
- High change
rates to objects in Active Directory Domain Services (AD DS)
- Insufficient
CPU or network bandwidth for the amount of data that the domain controller
is replicating
Repadmin /replicate - Triggers
the immediate replication of the specified directory partition to a destination
domain controller from a source domain controller.
Repadmin /replsingleobj - Replicates
a single object between any two domain controllers that have common directory
partitions.
The
two domain controllers do not have a replication agreement. That is, neither
domain controller has an inbound connection object for the other domain
controller.
You
can use the repadmin /showrepl or the repadmin /showconn command to
show replication agreements.
Repadmin /replsummary - Identifies
domain controllers that are failing inbound replication or outbound
replication, and summarizes the results in a report.
Repadmin /rodcpwdrepl - Triggers
replication of passwords for the specified users from a writable Windows
Server 2008 source domain controller to one or more read-only domain
controllers (RODCs).
For
each destination RODC, the source domain controller enforces the Password
Replication Policy (PRP) before it performs the operation. If the PRP does not
permit replicating the password to an RODC for a specified user, the operation
for that user and RODC combination fails.
Repadmin /showattr - Although
the repadmin /showobjmeta command displays the number of times that
the attributes on an object have changed and which domain controller made those
changes, the repadmin /showattr command displays the actual values for
an object. The repadmin /showattr command can also display the values
for objects that are returned by a command-line Lightweight Directory Access
Protocol (LDAP) query.
An
object can be referenced by its distinguished name or by its object globally
unique identifier (GUID).
By
default, repadmin /showattr uses Lightweight Directory Access
Protocol (LDAP) port 389 to query writable directory partitions. However, repadmin
/showattr can
optionally use LDAP port 3268 to query the read-only partitions of a global
catalog server.
Repadmin /showobjmeta - Displays
the replication metadata for a specified object stored in Active Directory
Domain Services (AD DS), such as the attribute ID, a version number, the
originating and local Update Sequence Numbers (USNs), the globally unique
identifier (GUID) of the originating server, and the date and time stamp. By
comparing the replication metadata for the same object on different domain
controllers, you can determine whether replication has occurred or which domain
controller added, modified, or deleted an attribute or object. You can
reference an object by its distinguished name path, object GUID, or security
identifier (SID). If the distinguished name path includes a space, enclose it
in quotation marks.
Repadmin /showrepl - Displays
the replication status when the specified domain controller last attempted to
perform inbound replication of Active Directory partitions.
The repadmin
/showrepl command
helps you understand the replication topology and replication failures. It
reports status for each source domain controller from which the destination has
an inbound connection object. The status report is categorized by directory
partition.
Repadmin /showutdvec - Displays
the highest committed Update Sequence Number (USN) that Active Directory
Domain Services (AD DS) on the targeted domain controller shows as
committed for itself and its transitive partners.
The
up-to-dateness vector (UTDVEC) shows the highest USN that the destination
domain controller has received by replication, in the form of changes it has
received from its direct and transitive replication partners for the specified
partition.
Repadmin /syncall - Synchronizes
a specified domain controller with all of its replication partners.
1Q. What
is Quorum and how it works?
A cluster quorum disk is the storage medium
on which the configuration database is
stored for a cluster
computing network. The cluster configuration database, also
called the quorum, tells the cluster which physical server(s) should be active
at any given time. The quorum disk comprises a shared block device that allows
concurrent read/write access by all nodes in a cluster.
When
network problems occur, they can interfere with communication between cluster
nodes. A small set of nodes might be able to communicate together across a
functioning part of a network but not be able to communicate with a different
set of nodes in another part of the network. This can cause serious issues. In
this "split" situation, at least one of the sets of nodes must stop
running as a cluster.
To
prevent the issues that are caused by a split in the cluster, the cluster
software requires that any set of nodes running as a cluster must use a voting
algorithm to determine whether, at a given time, that set has quorum. Because a
given cluster has a specific set of nodes and a specific quorum configuration,
the cluster will know how many "votes" constitutes a majority (that is,
a quorum). If the number drops below the majority, the cluster stops running.
Nodes will still listen for the presence of other nodes, in case another node
appears again on the network, but the nodes will not begin to function as a
cluster until the quorum exists again.
1Q. What
is Forwarders & conditional forwarders?
A forwarder is a Domain Name System
(DNS) server on a network that forwards DNS queries for external DNS names to
DNS servers outside that network.
Conditional forwarders are
DNS servers that forward queries according to domain names. Rather than having
a DNS server forward all queries it cannot resolve locally to a forwarder, you
can configure DNS servers to forward queries to different forwarders according
to the specific domain names that are contained in the queries. Forwarding
according to domain names improves conventional forwarding by adding a
name-based condition to the forwarding process.
The conditional forwarder
setting for a DNS server consists of the following:
- The domain
names for which the DNS server will forward queries
- One or more
DNS server IP addresses for each domain name that is specified
1Q. How
PDC emulator works with NT 4.0?
· The PDC emulator performs all of the functionality that a
Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows
NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes
unnecessary when all workstations, member servers, and domain controllers that
are running Windows NT 4.0 or earlier are all upgraded to Windows 2000. The PDC
emulator still performs the other functions as described in a Windows 2000
environment.
No comments:
Post a Comment