Interview Questions Dump

283
Interview Questions 1. In Winnt4.0 What is the Database Name? A. SAM Security Accounts Manager) 2. When you are created the share folder In security tab By default some user will be there? They Have One special Permission tell me that permission name? A. Inheritable Permission. 3. What is the Global Catlog Server? What is the main use of this server? Global Catlog server maintain his Domain Information and Partial Information Of other Domain Information.It Is Used For Replication. 4. You are Creating Domain (Win2000 server) In your Home.(It is Single PC)After Enter the Domain Name and Netbios Name Finally It gives one Error That Is “Network Cannot Be reached”Why It Is Coming? When u Creating the Domain the system Link Will be up .In Case We Don’t Have any Link Install The Ms Loopback Adapter. 5. Tell me Domain Wide Roles? Domain Naming Master and Schema Master. 6. When you Creating The Forest trust Relationship 1 st Step What you will Take? Raise the Domain Level Native Mode to Mixed Mode. 7 You have a Windows 2000 server.On Monday you Take a Normal Backup.Tuesday,Wednesday Thurday and Friday you Taken the Backup Of Incremental.Suddenly your Server is Down.After Installing the server Which backup you Have to Restore? All Backups(Mon,Tue, Wed,Thurs And Friday)

Transcript of Interview Questions Dump

Page 1: Interview Questions Dump

Interview Questions

1. In Winnt4.0 What is the Database Name?A. SAM Security Accounts Manager)

2. When you are created the share folder In security tab By default some user will be there? They Have

One special Permission tell me that permission name?A. Inheritable Permission.

3. What is the Global Catlog Server? What is the main use of this server?

Global Catlog server maintain his Domain Information and Partial Information Of other Domain Information.It Is Used For Replication.

4. You are Creating Domain (Win2000 server) In your Home.(It is Single PC)After Enter the Domain

Name and Netbios Name Finally It gives one Error That Is “Network Cannot Be reached”Why ItIs Coming?

When u Creating the Domain the system Link Will be up .In Case We Don’t Have any Link Install The Ms Loopback Adapter.

5. Tell me Domain Wide Roles?Domain Naming Master and Schema Master.

6. When you Creating The Forest trust Relationship 1st Step What you will Take?

Raise the Domain Level Native Mode to Mixed Mode.

7 You have a Windows 2000 server.On Monday you Take a Normal Backup.Tuesday,Wednesday Thurday and Friday you Taken the Backup Of Incremental.Suddenly your Server is Down.After Installing the server Which backup you Have to Restore? All Backups(Mon,Tue, Wed,Thurs And Friday)

8 What is Kerberos?If It is Failed Which Protocol Will Work?Kerberos is User Athentication Protocol.If It is Failed NTLM Will Work.

9 What Is the DataBase File Name In Active Directory?NTDS.DIT (New Technology Of Directory Service.Directory Information Tree)

Page 2: Interview Questions Dump

10 In Enterprise Network Users are Login in different systems and different Times.They Have a Roaming Profile When They logged in system his Profile is Opened Very Slow.. How Can I

Resolve the Problem?Enable the FolderRedirection.

11 What IS the ICMP Tools?Ping Traceroute and Telnet.

12 One System Already Installed Win2000 server and Domain.Whether It is Dc or Adc or Cdc how can

I Know?Type the Command Net accounts.

13 What Is the Port Number Of Wins (Windows Internet Naming Service)?

42.

14 When you are Creating Software Deployment there will be two options: Assigend and Published

What is the Difference between Assigned and Published? Assigend Means When the User Login In the computer that Software Will be

Installed. Published Means Every Time User Go To The Control Panel and Add that

Software.

15 Dc and Adc By Default What Is the Replication Time?60 min.

16 How Many Hives On the Registry? What Are They?5 Hives On The Registry.Hkey_classes_root,Hkey_Current_User,Hkey_Local_Machine,Hkey_UsersHkey_Current_Config.

17 How Can I Enable the Schema Master in Win2003 Server?Type The Command in Run-----Regsvr32schmmgmt.dll.

18 What Is the Difference Between Subnetting and CIDR? Dividing Single Network into Multipul Networks is Called Subnetting. Combining Multipul Networks into Single Network is called CIDR.

18 In Dns How Many Root Servers We Have?13

Page 3: Interview Questions Dump

19 your Created Group policies, Login Scripts By Default Where it will Stored?

SysVol.

20 If Any Changes Made in Group Policies What is The command to Update Without Restart the System?

In Windows 2000-----Secedit /refresh System policy In Windows2003-----Gpupdate.

21 How Can I Convert Fat To Ntfs?Convert /fs:Ntfs D:(Specify the Drive)(Again It will Ask you The Volume Label)Enter Volume Label.

22 What Is the Extra Feature Added In Win2k Advanced Server?Clustering.

23 Windows 2000 server Supports Maximum Memory Upto?4GB RAM.

24 How Many Primary Partitions We can Create in Win2000 Server?

Upto 4 Partitions.

25 What is the Difference Between Winnt4.0 Server Mirroring And Win2000 Server Mirroring?

In Winnt Mirroring Done By Basic Disks.In Win2000 Server Mirroring Done By Dynamic Disks.

26 How Can I Create BootDisk Of Winnt Or Win2k Server?Formatte the floppy With Same Os and copy these files NTLDR,NTDETECT.COM and BOOT.INI.If It is Scsi Harddisk Copy Scsi Card *.sys file into Floppy and rename the filename into NTBOOTDD.SYS.

27 My Win2k Prof System Getting one error in Bluescreen “Inaccessble_Boot_Device”.When I Search

In Google It Is showing MBR Is Infected By Virus. How can I Clean?Boot With Safemode With Command Prompt.Then Type the command------Chkdsk /p.

28 I have a 4 Scsi HardDisks .I Configured these 4 Harddisks in Raid5 Level(Raid5+Hot Fix).After 2 Days one Hard Disk Is

Page 4: Interview Questions Dump

Failed.Iam Inserted New Harddisk Into Raid Array.After What Step you

Have to Take ?Rebuild.

29 In Remote Installation Service What is the Answer File Name?Ristndrd.sif.

30 Emergency Repair Disk Contains?Autoexec.nt and Config.nt.

31 What is Reqirement Protocols to Install the Microsoft Exchange server?

SMTP and NNTP.

32 WinXp Stands For?Windows Expert.

1. Explain hidden shares. Hidden or administrative shares are share names with a dollar sign ($) appended to their names. Administrative shares are usually created automatically for the root of each drive letter. They do not display in the network browse list.

2. How do the permissions work in Windows 2000? What permissions does folder inherit from the parent? When you combine NTFS permissions based on users and their group memberships, the least restrictive permissions take precedence. However, explicit Deny entries always override Allow entries.

3. Why can’t I encrypt a compressed file on Windows 2000? You can either compress it or encrypt it, but not both.

4. If I rename an account, what must I do to make sure the renamed account has the same permissions as the original one? Nothing, it’s all maintained automatically.

5. What’s the most powerful group on a Windows system? Administrators. 6. What are the accessibility features in Windows 2000? StickyKeys, FilterKeys

Narrator, Magnifier, and On-Screen Keyboard. 7. Why can’t I get to the Fax Service Management console? You can only see it

if a fax had been installed. 8. What do I need to ensure before deploying an application via a Group

Policy? Make sure it’s either an MSI file, or contains a ZAP file for Group Policy.

9. How do you configure mandatory profiles? Rename ntuser.dat to ntuser.man 10. I can’t get multiple displays to work in Windows 2000. Multiple displays have

to use peripheral connection interface (PCI) or Accelerated Graphics Port (AGP) port devices to work properly with Windows 2000.

Page 5: Interview Questions Dump

11. What’s a maximum number of processors Win2k supports? 2 12. I had some NTFS volumes under my Windows NT installation. What

happened to NTFS after Win 2k installation? It got upgraded to NTFS 5. 13. How do you convert a drive from FAT/FAT32 to NTFS from the command

line? convert c: /fs:ntfs 14. Explain APIPA. Auto Private IP Addressing (APIPA) takes effect on Windows

2000 Professional computers if no DHCP server can be contacted. APIPA assigns the computer an IP address within the range of 169.254.0.0 through 169.254.255.254 with a subnet mask of 255.255.0.0.

15. How does Internet Connection Sharing work on Windows 2000? Internet Connection Sharing (ICS) uses the DHCP Allocator service to assign dynamic IP addresses to clients on the LAN within the range of 192.168.0.2 through 192.168.0.254. In addition, the DNS Proxy service becomes enabled when you implement ICS.

Microsoft Win32 interview questions

1. Tell the differences between Windows 95 and Windows NT? Lack of Unicode implementation for most of the functions of Win95. Different extended error codes. Different number window and menu handles. Windows 95 implements some window management features in 16 bits. Windows 95 uses 16-bit world coordinate system and the coordinates restricted to 32K. Deletion of drawing objects is different. Windows 95 does not implement print monitor DLLs of Windows NT. Differences in registry. Windows 95 does not support multiprocessor computers. NT implementation of scheduler is quite different. Different driver models. Win95 was built with back-compatibility in mind and ill-behaving 16-bit process may easily corrupt the system. Win95 starts from real DOS, while WinNT uses DOS emulation when one needs a DOS. Win95’s FAT is built over 16-bit win3.1 FAT (not FAT32!, actually, Win95’s FAT contains two FATs).

Windows Server 2003 IIS and Scripting interview questions

1. What is presentation layer responsible for in the OSI model? The presentation layer establishes the data format prior to passing it along to the network application’s interface. TCP/IP networks perform this task at the application layer.

2. Does Windows Server 2003 support IPv6? Yes, run ipv6.exe from command line to disable it.

Page 6: Interview Questions Dump

3. Can Windows Server 2003 function as a bridge? Yes, and it’s a new feature for the 2003 product. You can combine several networks and devices connected via several adapters by enabling IP routing.

4. What’s the difference between the basic disk and dynamic disk? The basic type contains partitions, extended partitions, logical drivers, and an assortment of static volumes; the dynamic type does not use partitions but dynamically manages volumes and provides advanced storage options

5. What’s a media pool? It is any compilation of disks or tapes with the same administrative properties. 

6. How do you install recovery console? C:\i386\win32 /cmdcons, assuming that your Win server installation is on drive C.

7. What’s new in Terminal Services for Windows 2003 Server? Supports audio transmissions as well, although prepare for heavy network load.

8. What scripts ship with IIS 6.0? iisweb.vsb to create, delete, start, stop, and list Web sites, iisftp.vsb to create, delete, start, stop, and list FTP sites, iisdir.vsb to create, delete, start, stop, and display virtual directories, iisftpdr.vsb to create, delete, start, stop, and display virtual directories under an FTP root, iiscnfg.vbs to export and import IIS configuration to an XML file.

9. What’s the name of the user who connects to the Web site anonymously? IUSR_computername

10. What secure authentication and encryption mechanisms are supported by IIS 6.0? Basic authentication, Digest authentication, Advanced digest authentication, Certificate-based Web transactions that use PKCS #7/PKCS #10, Fortezza, SSL, Server-Gated Cryptography, Transport Layer Security

11. What’s the relation between SSL and TLS? Transport Layer Security (TLS) extends SSL by providing cryptographic authentication. 

12. What’s the role of http.sys in IIS? It is the point of contact for all incoming HTTP requests. It listens for requests and queues them until they are all processed, no more queues are available, or the Web server is shut down.

13. Where’s ASP cache located on IIS 6.0? On disk, as opposed to memory, as it used to be in IIS 5.

14. What is socket pooling? Non-blocking socket usage, introduced in IIS 6.0. More than one application can use a given socket.

15. Describe the process of clustering with Windows 2003 Server when a new node is added. As a node goes online, it searches for other nodes to join by polling the designated internal network. In this way, all nodes are notified of the new node’s existence. If other nodes cannot be found on a preexisting cluster, the new node takes control of the quorum resources residing on the shared disk that contains state and configuration data.

16. What applications are not capable of performing in Windows 2003 Server clusters? The ones written exclusively for NetBEUI and IPX.

17. What’s a heartbeat? Communication processes between the nodes designed to ensure node’s health.

18. What’s a threshold in clustered environment? The number of times a restart is attempted, when the node fails.

19. You need to change and admin password on a clustered Windows box, but that requires rebooting the cluster, doesn’t it? No, it doesn’t. In 2003

Page 7: Interview Questions Dump

environment you can do that via cluster.exe utility which does not require rebooting the entire cluster.

20. For the document of size 1 MB, what size would you expect the index to be with Indexing Service? 150-300 KB, 15-30% is a reasonable expectation.

21. Doesn’t the Indexing Service introduce a security flaw when allowing access to the index? No, because users can only view the indices of documents and folders that they have permissions for.

22. What’s the typical size of the index? Less then 100K documents - up to 128 MB. More than that - 256+ MB.

23. Which characters should be enclosed in quotes when searching the index? &, @, $, #, ^, ( ), and |.

24. How would you search for C++? Just enter C++, since + is not a special character (and neither is C).

25. What about Barnes&Noble? Should be searched for as Barnes’&’Noble. 26. Are the searches case-sensitive? No. 27. What’s the order of precedence of Boolean operators in Microsoft Windows

2003 Server Indexing Service? NOT, AND, NEAR, OR. 28. What’s a vector space query? A multiple-word query where the weight can be

assigned to each of the search words. For example, if you want to fight information on ‘black hole’, but would prefer to give more weight to the word hole, you can enter black[1] hole[20] into the search window.

29. What’s a response queue? It’s the message queue that holds response messages sent from the receiving application to the sender.

30. What’s MQPing used for? Testing Microsoft Message Queue services between the nodes on a network.

31. Which add-on package for Windows 2003 Server would you use to monitor the installed software and license compliance? SMS (System Management Server).

32. Which service do you use to set up various alerts? MOM (Microsoft Operations Manager).

33. What languages does Windows Scripting Host support? VB, VBScript, JScript.

1. What is presentation layer responsible for in the OSI model? The presentation layer establishes the data format prior to passing it along to the network application’s interface. TCP/IP networks perform this task at the application layer.

Windows Server 2003 Active Directory and Security questions

1. What’s the difference between local, global and universal groups? Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.

2. I am trying to create a new universal user group. Why can’t I? Universal groups are allowed only in native-mode Windows Server 2003 environments.

Page 8: Interview Questions Dump

Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.

3. What is LSDOU? It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.

4. Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exist, it has the highest priority among the numerous policies.

5. Where are group policies stored? %SystemRoot%System32\GroupPolicy 6. What is GPT and GPC? Group policy template and group policy container. 7. Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\

GUID 8. You change the group policies, and now the computer and user settings are

in conflict. Which one has the highest priority? The computer settings take priority.

9. You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do? gponame–> User Configuration–> Windows Settings–> Remote Installation Services–> Choice Options is your friend.

10. What’s contained in administrative template conf.adm? Microsoft NetMeeting policies

11. How can you restrict running certain applications on a machine? Via group policy, security settings for the group, then Software Restriction Policies.

12. You need to automatically install an app, but MSI file is not available. What do you do? A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer.

13. What’s the difference between Software Installer and Windows Installer? The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.

14. What can be restricted on Windows Server 2003 that wasn’t there in previous products? Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.

15. How frequently is the client policy refreshed? 90 minutes give or take. 16. Where is secedit? It’s now gpupdate. 17. You want to create a new group policy but do not wish to inherit. Make sure

you check Block inheritance among the options when creating the policy. 18. What is "tattooing" the Registry? The user can view and modify user

preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry.

19. How do you fight tattooing in NT/2000 installations? You can’t. 20. How do you fight tattooing in 2003 installations? User Configuration -

Administrative Templates - System - Group Policy - enable - Enforce Show Policies Only.

21. What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.

Page 9: Interview Questions Dump

22. What’s the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.

23. How do FAT and NTFS differ in approach to user shares? They don’t, both have support for sharing.

24. Explan the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.

25. I have a file to which the user has access, but he has no folder permission to read it. Can he access it? It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.

26. For a user in several groups, are Allow permissions restrictive or permissive? Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.

27. For a user in several groups, are Deny permissions restrictive or permissive? Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.

28. What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

29. What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations? The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.

30. We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.

31. Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition Knowledge Table, which is then replicated to other domain controllers.

32. Can you use Start->Search with DFS shares? Yes. 33. What problems can you have with DFS installed? Two users opening the

redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS.

34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a standalone one.

35. Is Kerberos encryption symmetric or asymmetric? Symmetric.

Page 10: Interview Questions Dump

36. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time stamp is attached to the initial client request, encrypted with the shared key.

37. What hashing algorithms are used in Windows 2003 Server? RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.

38. What third-party certificate exchange protocols are used by Windows 2003 Server? Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities.

39. What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.

40. If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1? A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes.

41. What’s the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003.

42. How many passwords by default are remembered when you check "Enforce Password History Remembered"? User’s last 6 passwords.

1.

more interview questions - all Windows interview questions

Windows Server 2003 interview and certification questions

1. How do you double-boot a Win 2003 server box? The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the Boot.ini timeout and default settings, use the System option in Control Panel from the Advanced tab and select Startup. (more…)

1. How do you double-boot a Win 2003 server box? The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the Boot.ini timeout and default settings, use the System option in Control Panel from the Advanced tab and select Startup.

2. What do you do if earlier application doesn’t run on Windows Server 2003? When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup function or if it later malfunctions, you must run the compatibility mode function. This is accomplished by right-clicking the application or setup program and selecting Properties –> Compatibility –> selecting the previously supported operating system.

3.  If you uninstall Windows Server 2003, which operating systems can you revert to? Win ME and Win 98.

Page 11: Interview Questions Dump

4. How do you get to Internet Firewall settings? Start –> Control Panel –> Network and Internet Connections –> Network Connections.

5. What are the Windows Server 2003 keyboard shortcuts? Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.

6. What is Active Directory? Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available to authorized users and groups. An underlying principle of the Active Directory is that everything is considered an object—people, servers, workstations, printers, documents, and devices. Each object has certain attributes and its own security access control list (ACL).

7. Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003? The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.

8. How long does it take for security changes to be replicated among the domain controllers? Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).

9. What’s new in Windows Server 2003 regarding the DNS management? When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory. If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard.

10. When should you create a forest? Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.

11. How can you authenticate between forests? Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical

Page 12: Interview Questions Dump

logon outside the user’s home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials.

12. What snap-in administrative tools are available for Active Directory? Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak)

13. What types of classes exist in Windows Server 2003 Active Directory?  o Structural class. The structural class is important to the system

administrator in that it is the only type from which new Active Directory objects are created. Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes.

o Abstract class. Abstract classes are so named because they take the form of templates that actually create other templates (abstracts) and structural and auxiliary classes. Think of abstract classes as frameworks for the defining objects.

o Auxiliary class. The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a structural class, it provides a streamlined alternative by applying a combination of attributes with a single include action.

o 88 class. The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was adopted. This type does not use the structural, abstract, and auxiliary definitions, nor is it in common use for the development of objects in Windows Server 2003 environments.

14. How do you delete a lingering object? Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory. 

15. What is Global Catalog? The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network.

16. How is user account security established in Windows Server 2003? When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user account’s security token, which determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user attempts to access.

17. If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same? No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different. 

18. What do you do with secure sign-ons in an organization with many roaming users? Credential Management feature of Windows Server 2003 provides a consistent single sign-on experience for users. This can be useful for roaming

Page 13: Interview Questions Dump

users who move between computer systems. The Credential Management feature provides a secure store of user credentials that includes passwords and X.509 certificates.

19. Anything special you should do when adding a user that has a Mac? "Save password as encrypted clear text" must be selected on User Properties Account Tab Options, since the Macs only store their passwords that way.

20. What remote access options does Windows Server 2003 support? Dial-in, VPN, dial-in with callback.

21. Where are the documents and settings for the roaming profile stored? All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.

22. Where are the settings for all the users stored on a given machine? \Document and Settings\All Users

What languages can you use for log-on scripts? JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe)

1. How do you double-boot a Win 2003 server box? The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the Boot.ini timeout and default settings, use the System option in Control Panel from the Advanced tab and select Startup.

2. What do you do if earlier application doesn’t run on Windows Server 2003? When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup function or if it later malfunctions, you must run the compatibility mode function. This is accomplished by right-clicking the application or setup program and selecting Properties –> Compatibility –> selecting the previously supported operating system.

3.  If you uninstall Windows Server 2003, which operating systems can you revert to? Win ME and Win 98.

4. How do you get to Internet Firewall settings? Start –> Control Panel –> Network and Internet Connections –> Network Connections.

5. What are the Windows Server 2003 keyboard shortcuts? Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.

6. What is Active Directory? Active Directory is a network-based object store and service that locates and manages resources, and makes these resources available

Page 14: Interview Questions Dump

to authorized users and groups. An underlying principle of the Active Directory is that everything is considered an object—people, servers, workstations, printers, documents, and devices. Each object has certain attributes and its own security access control list (ACL).

7. Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003? The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write relationship that hosts copies of the Active Directory.

8. How long does it take for security changes to be replicated among the domain controllers? Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).

9. What’s new in Windows Server 2003 regarding the DNS management? When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an existing DC to update the directory and replicate from the DC the required portions of the directory. If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records. The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS configuration debugging and reporting activity is done with the Active Directory Installation Wizard.

10. When should you create a forest? Organizations that operate on radically different bases may require separate trees with distinct namespaces. Unique trade or brand names often give rise to separate DNS identities. Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and joint ventures. While access to common resources is desired, a separately defined tree can enforce more direct administrative and security restrictions.

11. How can you authenticate between forests? Four types of authentication are used across forests: (1) Kerberos and NTLM network logon for remote access to a server in another forest; (2) Kerberos and NTLM interactive logon for physical logon outside the user’s home forest; (3) Kerberos delegation to N-tier application in another forest; and (4) user principal name (UPN) credentials.

12. What snap-in administrative tools are available for Active Directory? Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active Directory Schema Manager (optional, available from adminpak)

13. What types of classes exist in Windows Server 2003 Active Directory?  o Structural class. The structural class is important to the system

administrator in that it is the only type from which new Active Directory objects are created. Structural classes are developed from either the modification of an existing structural type or the use of one or more abstract classes.

o Abstract class. Abstract classes are so named because they take the form of templates that actually create other templates (abstracts) and structural

Page 15: Interview Questions Dump

and auxiliary classes. Think of abstract classes as frameworks for the defining objects.

o Auxiliary class. The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a structural class, it provides a streamlined alternative by applying a combination of attributes with a single include action.

o 88 class. The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was adopted. This type does not use the structural, abstract, and auxiliary definitions, nor is it in common use for the development of objects in Windows Server 2003 environments.

14. How do you delete a lingering object? Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering objects in the Active Directory. 

15. What is Global Catalog? The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or tree. Every domain has at least one GC that is hosted on a domain controller. In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the network.

16. How is user account security established in Windows Server 2003? When an account is created, it is given a unique access number known as a security identifier (SID). Every group to which the user belongs has an associated SID. The user and related group SIDs together form the user account’s security token, which determines access levels to objects throughout the system and network. SIDs from the security token are mapped to the access control list (ACL) of any object the user attempts to access.

17. If I delete a user and then create a new account with the same username and password, would the SID and permissions stay the same? No. If you delete a user account and attempt to recreate it with the same user name and password, the SID will be different. 

18. What do you do with secure sign-ons in an organization with many roaming users? Credential Management feature of Windows Server 2003 provides a consistent single sign-on experience for users. This can be useful for roaming users who move between computer systems. The Credential Management feature provides a secure store of user credentials that includes passwords and X.509 certificates.

19. Anything special you should do when adding a user that has a Mac? "Save password as encrypted clear text" must be selected on User Properties Account Tab Options, since the Macs only store their passwords that way.

20. What remote access options does Windows Server 2003 support? Dial-in, VPN, dial-in with callback.

21. Where are the documents and settings for the roaming profile stored? All the documents and environmental settings for the roaming user are stored locally on the system, and, when the user logs off, all changes to the locally stored profile are copied to the shared server folder. Therefore, the first time a roaming user logs on to a new system the logon process may take some time, depending on how large his profile folder is.

Page 16: Interview Questions Dump

22. Where are the settings for all the users stored on a given machine? \Document and Settings\All Users

23. What languages can you use for log-on scripts? JavaScipt, VBScript, DOS batch files (.com, .bat, or even .exe)

1. How can you authenticate between forests?

Windows 2000 always uses NTLM for authentication between forests; 2003 will use kerberos if and only if dns is used while setting up the domains. If the netbios name is uses; NTLM is used for 2003.

Tech Interviews comment by Anonymous

1. Describe how the DHCP lease is obtained.

It’s a four-step process consisting of (a) IP request, (b) IP offer, © IP selection and (d) acknowledgement.

2. I can’t seem to access the Internet, don’t have any access to the corporate network and on ipconfig my address is 169.254.*.*. What happened?

The 169.254.*.* netmask is assigned to Windows machines running 98/2000/XP if the DHCP server is not available. The name for the technology is APIPA (Automatic Private Internet Protocol Addressing).

3. We’ve installed a new Windows-based DHCP server, however, the users do not seem to be getting DHCP leases off of it.

The server must be authorized first with the Active Directory.

4. How can you force the client to give up the dhcp lease if you have access to the client PC?

ipconfig /release

5. What authentication options do Windows 2000 Servers have for remote clients?

PAP, SPAP, CHAP, MS-CHAP and EAP.

6. What are the networking protocol options for the Windows clients if for some reason you do not want to use TCP/IP?

Page 17: Interview Questions Dump

NWLink (Novell), NetBEUI, AppleTalk (Apple).

7. What is data link layer in the OSI reference model responsible for? Data link layer is located above the physical layer, but below the network layer.

Taking raw data bits and packaging them into frames. The network layer will be responsible for addressing the frames, while the physical layer is reponsible for retrieving and sending raw data bits.

8. What is binding order?

The order by which the network protocols are used for client-server communications. The most frequently used protocols should be at the top.

9. How do cryptography-based keys ensure the validity of data transferred across the network? 

Each IP packet is assigned a checksum, so if the checksums do not match on both receiving and transmitting ends, the data was modified or corrupted.

10. Should we deploy IPSEC-based security or certificate-based security?

They are really two different technologies. IPSec secures the TCP/IP communication and protects the integrity of the packets. Certificate-based security ensures the validity of authenticated clients and servers.

11. What is LMHOSTS file?

It’s a file stored on a host machine that is used to resolve NetBIOS to specific IP addresses.

12. What’s the difference between forward lookup and reverse lookup in DNS? Forward lookup is name-to-address, the reverse lookup is address-to-name.

13. How can you recover a file encrypted using EFS?

Use the domain recovery agent.

Active Directory Backup and Restore

When you are taking the backup of Active directory database run this commandIn Start----Run-----ntbackup.In this utility you have to choose restore on the restore you have to select Systemstate data.It’s contain Active Directory database,Registry and Com+ root Certifications.

Page 18: Interview Questions Dump

After taking the backup if you want to restore the database Go F8 Start menu inThat choose Directory Services Restore Mode.After booting the system In Start Menu ------Run----------ntbackupRestore Database (What you are taken previous backup)After restore it will ask you restart the system -------Don’t restart system at that time.Press No.Why Because Data Will restore it will show in ActiveDirectory Users And Computers but it will not work .You have to Authorize the database…Next You go on Command Prompt Type this Commands…C:\>ntdsutilNtdsutil:Authoritative restore(Type this Command) :Restore Database(Type this Command)This Means Entire Database Will be Authorize.If you Want to restore only Single user of OU.Type the Command Like This Restore Subtree cn=(username),cn=(Ou name),cn=(dot Before name),cn=(dot after name)---------then Enter ….

Dot Before and Dot After Means…….Suppose your Domain is unics.comUser Name is testOu Name is sales

The Context Should be Like this:Cn=test,cn=sales,cn=unics,cn=com

If there is no OU pls remove the ou Context ….

Caution:This Procedure Will Work When the Active Directory Database Will Corrupt. If you want format the system after installation of OS You Have to restore same OU’s and Users Follow This Procedure:

First you Take the backup of Systemstate.Then format the system and install OS in WorkGroup.Here No need to Create a Domain…Then you Restore Systemstate backup What iam said in Previous Document…The Same Procedure Will Work….But Here one Disadvantage is there -----You Follow this Procedure User’s Group Policy’s Will not work.

If u Want Group Policy’s also After installation OS Create Domain in Same Name What is Previous name Of Domain.

Page 19: Interview Questions Dump

Then Restore Database and Authorize. It will Work.

Answer the questions below

1. the port number of DNS? A. DNS Port no is 53

2. What is the Active Directory? 3. To Manipulate Active Directory , will use one Protocol what is that?

A.LDAP4. How can u check whether the DNS is working or not? 5. What is the use of SOA (Source of Authority) 6. How to view Event Viewer through command line from Remote System without

using Remote Management tools? 7. What are the FSMO roles? 8. What is the use of DHCP Relay Agent?

The DHCP Relay Agent component is a Bootstrap Protocol (BOOTP) relay agent that relays Dynamic Host Configuration Protocol (DHCP) messages between DHCP clients and DHCP servers on different IP networks

9. What is RPC over HTTP? 10. What is the Default folder IIS? 11. What is name of Active Directory File? 12. What are the DNS Zone Types? 13. To run IIS what are the services are required? 14. What is the Log files path and Configuration backup Path of IIS? 15. What are the Protocols we need to install to run IIS? 16. What are the port numbers of FTP,HTTP,SMTP and NNTP? 17. What is the difference between DNS & WINS? 18. What is the default Authentication protocol of Windows 200? 19. How can u take backup of IIS Configuration? 20. How resolving happens in windows 2000? 21. What is DFS, Purpose of DFS, how can you implement practically explain step by 22. What is RAID Level? Explain differences between them? 23. What is differences between Software & Hardware RAID? Which one is better? 24. What is difference between Basic Disk and Dynamic Disks? 25. What are the Backup Types & Strategies? 26. How can u restore Particular Container Objects from System State Restore? 27. I Configures DHCP Scope in DHCP Server, but Workstations are not getting IP

address from contact DHCP Server, what would be the problem? 28. Differences between NT & 2000 & 2003? 29. What is Schema? And what its role in Active Directory environment? 30. What is the maximum number of Global Catalog Servers we can install in single

forest? 31. What are the modes are there in Terminal Services ? Explain? 32. What is default CAL in Terminal Services ? and it works on which Protocol?

Page 20: Interview Questions Dump

33. What is Difference between Native & Mixed mode? 34. What is the difference Migration & Upgradation? 35. What are the steps involved while upgrading WinNT to Win2000? 36. Explain about Kerberos Authentication in Windows 2000 Domain Environment? 37. How many types of Policies are there? Is it possible to Implement Group Policy

on single Group or User? 38. How can you deploy Software from Group Policy? 39. What is the use of SYSVOL & NETLOGON folders? 40. What is the Use of Organizational Unit? 41. What is Replication? What are Replication Data types in a Forest?

Question 1 You are the administrator of the corp.arborshoes.com domain. Users in the domain run Windows 2000 Professional on their desktop computers. A user named Katrin in the Sales organizational unit reports that her mouse is not working correctly. You logon to the domain from Katrin's computer using a domain administrative account.

You use Device Manager to display the current information for the mouse drivers. You discover that Katrin's computer is using an older version of the mouse driver. You have a current driver by the manufacturer of mouse. You install the current driver by the usage of Device Manager and restart the computer. You test the mouse and it is still not functioning correctly. You check the problem and see that the previous driver is still installed. You want to be able to install the correct mouse driver.

What should you do?

(Question provided by: HotCerts)

( A ) Set the Sales OU policy for security to warn and allow the installation to override the local security defaults. ( B ) Set the domain policy for security to block but allow the installation to override local and Sales OU security defaults. ( C ) Set the local computer policy for security on Katrin's computer to warn but allow the installation to override the domain and the Sales OU security defaults. ( D ) Disable plug and play on Katrin's computer. Restart the computer and manually setup the system resources for the mouse. ( E ) None of the above

Page 21: Interview Questions Dump

You are the administrator of a small server based network.

While installing Windows 2000 Professional on your computer, you configure the network adapter card for each computer to use TCP/IP and assign static IP setting information.

During installation the setup detects and installs the 10/100 Mbps UTP only network adapter card on computers #6 and #8, and a 10 Mbps/UTP combination adapter card on the other 7 computers.

You accept the default settings for the network adapter card and finish installing the network adapter card. All computers are connected to a 10/100 switch that has category 5 UTP cabling.

After installation you find that only computer #6 and #8 can communicate with each other. You want all 9 computers on your network to be able to communicate with each other.

What should you do?

(Question provided by: HotCerts)

( A )    Configure the 10/100 switch to transfer only at the 100 Mbps rate.

( B )  

Configure the 10/100 Mbps network adapter card to switch all the computers to the 10 Mbps rate.

( C )    Change the combination network adapter card to use the BNC transceiver setting.

( D )    Change the combination network adapter card to use the UTP transceiver setting.

( E )    None of the above

You need to install Windows 2000 Professional on a new computer in your network. You use the setup manager wizard to configure a fully automated installation script file. You begin an unattended installation and leave the office.

When you return, the installation has reached the GUI-mode setup and you see the following error message "Unattended setup is unable to continue because a setup parameter specified by your system administrator or computer manufacturer is missing or invalid."

You need to complete the installation. What must you do?

(Question provided by: HotCerts)

Page 22: Interview Questions Dump

( A )    In the unattended section of the answer file, set the OemPreinstall property to Yes.

( B )    In the NetBinding section of the answer file, specify the Enable variable.

( C )    In the User Data section of the answer file, specify the ProductID variable

( D )    In the GUIUnattended section of the answer file set the OemSkipWelcome property to 1.

( E )    None of the above

You purchase a USB board, ISDN terminal adapter for your Windows 2000 Professional portable computer. You plug the device into the USB port.

Plug and Play fails to detect the new device. You test the device on a Windows 2000 Professional desktop computer. You find that plug and play correctly detects the device. You want to resolve the problem so that you can use ISDN terminal adapter on your portable computer.

What should you do?

(Question provided by: HotCerts)

You are the administrator for your company's network. The network is configured as shown in the exhibit.

You want to install Windows 2000 Professional on 20 new PXE-compliant computers on the marketing segment of your network. The new computers do not have operating systems installed. You create a RIS image. You load the image onto the RIS server. You then start the new computers. You find that the new computers cannot connect to the RIS server. You

Page 23: Interview Questions Dump

verify that the new computers cannot connect to the RIS server. You verify that the existing client computers in the network can connect to the network servers, including the RIS server. You want to enable the new computers to connect to the RIS server.

What should you do?

(Question provided by: HotCerts)

( A )    Add a Windows 2000 Server computer running WINS to the network.

( B )    Add a Windows 2000 Server computer running DHCP to the network.

( C )    Add the domain Everyone group to the RIS OS image security settings.

( D )    Place the new computers on the same segment as the RIS server.

( E )    None of the above

( A )    Use the Device Manager to enable the USB manager root hub.

( B )  

Use the Device Manager to enable the USB host controller in the current hardware profile.

( C )    Contact the hardware manufacturer to obtain the upgrade for the Plug and Play BIOS.

( D )    Turn off the computer plug in the ISDN terminal host adapter and restart the computer.

( E )    None of the above

A Windows 2000 Server computer named Server1 is a file server on your network. Server1 runs numerous 16-bit applications. One of the applications, named App1, stops responding, causing all of the other 16-bit applications to stop responding.

You want to isolate App1 for monitoring and troubleshooting purposes.

What can you do?

(Question provided by: HotCerts)

( A )  

Create a batch file that starts App1 by running the start command with the /separate switch. Use this batch file to start App1.

( B )  

Create a shortcut to App1, and select the Run in separate memory space option in the shortcut properties. Use this shortcut to start App1.

( C )  

In the properties for File and Printer Sharing for Microsoft Networks, select the Maximize data throughput for file sharing option button.

( D )  

In the properties for File and Printer Sharing Microsoft Networks, select the Balance option button.

( E )    Both A and B

Page 24: Interview Questions Dump

You configure a Group Policy Object for the Marketing organizational unit (OU) to prevent users from accessing My Network Places and from running System in Control Panel. You want the Managers domain local group to be able to access My Network Places, but you still want to prevent them from running System in Control Panel.

What should you do?

(Question provided by: HotCerts)

( A )  

Add the managers group to the access control list of the GPO. Disable the permission of the managers group to read and apply the group policy.

( B )  

Add the managers group to the access control list of the GPO. Deny the permission of the managers group to read and apply the group policy.

( C )

  

Create a second GPO in the OU. Add the managers group to the access control list. Allow the managers group to apply the group policy. Deny the authenticated users group permission to read and apply group policy. Configure the new GPO to deny the ability to run System in Control Panel. Give the original GPO a higher priority than the new GPO.

( D )

  

Create a second GPO in the OU. Add the managers group to the access control list. Allow the managers group to read and apply the group policy. Disable the permission of the authenticated user group to read and apply the group policy. Configure the new GPO to allow access to My Network Places. Give the new GPO a higher priority than the original GPO.

( E )    None of the above

Your company network includes Windows 98, Windows 2000 Professional, and Macintosh client computers. All of the client computers currently use TCP/IP as their only network protocol.

You create several shared folders on a Windows 2000 Server computer. You plan to store the company's financial data in these shared folders. During testing, you discover that the Macintosh client computers cannot access the shared folders. You want the shared folders to be accessible from all of the client computers on the network.

What should you do first?

(Question provided by: HotCerts)

( A )    Install the SAP protocol on the Windows 2000 Server computer.

( B )  

Install the Apple Talk network protocol on the Macintosh computers and on the Windows 2000 Server computer

( C )    Install Apple Talk network integration on the Windows 2000 Server computer

Page 25: Interview Questions Dump

( D )    Install RIP on the Windows 2000 Server computer

( E )    None of the above

Your company’s network includes Windows 3.1 client computers, Windows 95 client computers and Windows 2000 Professional client computers. The company’s manufacturing facilities run 24 hours per day.

The company has developed its own 32-bit application that collects information from the manufacturing processes so that workers on one shift can find out what was manufactured during the previous shift. The company wants to make the application available on all of the client computers by using Terminal Services on a Windows 2000 Server computer. The server will not run as a domain controller. You install Terminal Services.

Users want to collect information on the manufacturing processes from other shifts. The company wants users to shut down their computers at the end of their shifts, and to leave the application running on the Terminal server.

What should you do?

(Question provided by: HotCerts)

( A )    Set the Delete temporary folders on exit setting for the Terminal server to No.

( B )  

Set the Remote Desktop Protocol (RDP) on the server to override user settings, and set the End disconnected sessions setting to Never.

( C )    At the Terminal server, grant the users the right to log on as a batch job.

( D )    Do nothing. User programs are always terminated on disconnection.

( E )    None of the above

You are preparing to install Windows 2000 Server on a new computer. The computer is connected to a network that includes Windows 98 computers and Windows 2000 Server computers.

You want to install Windows 2000 Server from source files that are located on a server on the network.

What should you do?

(Question provided by: HotCerts)

( A )  

Start the new computer by using a Windows 98 network boot disk. Connect to the network server. Run Winnt32.exe.

( B )  

Start the new computer by using Windows 98 network boot disk. Connect to the network server. Run Winnt.exe.

Page 26: Interview Questions Dump

( C )  

On a Windows 2000 Server computer, use Makebt32.exe to create installation startup disk. Start the new computer by using the first disk.

( D )  

On a Windows 2000 computer, format a floppy disk. Copy NTLDR, boot.ini, Ntdetect.com, Ntbootdd.sys to this disk. Start the new computer by using the disk.

( E )    None of the above

Question 1 C E [view Q & A] [stats] 26 sec  Question 2 C D [view Q & A] [stats] 42 sec  Question 3 B B [view Q & A] [stats] 31 sec  Question 4 C B [view Q & A] [stats] 50 sec  Question 5 A B

1. How do you prevent or ensure the inappropriate use of the domain A. Renaming the Administrator account and change password.B. Track failed logons on the domainC. Set account lockout policies to track after one fialed attempt.Ans: A2. You have a laptop that is docked to the OS at office, you installed a SCSI adapter card for the printer in the office on the office laptop, you notice that the card runs on the laptop at home and consumes a lot of power. You want to disable that and conserve power usage.A. You disable the card in the hardware profile of the laptop.Ans: A3. A question on wanting to encrypt a compressed file.A. You cannot encrypt and compress a file at the same time.Ans: A4. A question testing the measurement of memory. You have an 854 byte memory and you want to compress. Options are 512bytes, 4 kb. A. Know which is greater bytes or Kilobytes. (this is a give away question if you know these)Ans: A5. You have a portable laptop with W2KPro installed. You add a PNP SCSI

Page 27: Interview Questions Dump

device to the docking station, connect the portable and boot W2K. It fails to detect the SCSI device. You start the Hardware wizard, but when it finished it didn't detected the device. You want to enable W2K to detect the device. What to do?a. Start the Add/Remove Hardware wizard. Manually install the drivers.b. Wrong answerc. Wrong answerd. Adds the drivers to the %systemroot%driver cachei386 folder and start the Add/Remove Hardware wizard.ANS: D check this folder you will see it’s actually there and contains all the drivers that a present on windows 2000 by default %systemroot%driver cachei386 folder. Check it out.6. You scan an image into your computer running Win2000, the image looks distorted on your monitor and is not clear. You try and print the image and it prints out well were can you solve this problem.a. You can solve the problem through control panel, scanners &cameras icon and click the colour management tab.b. You can go to the Display properties icon and change the refresh frequency.c. You can go to the Display properties icon and click the colour management tab.d. You can go to the printers icon and the colour management tab.ANS: C

2. 7. Your desktop Computer has Windows 2000 Professional installed. You create a new dial-up connection to connect to the Internet. You configure the Internet connection to enable Internet Connection Sharing. After you configure the connection, you cannot see or connect to any shared resources on your local network. You want your computer to be able to connect to shared resources. What should you do?A. Configure the dial-up connection to disable shared access.B. Configure the dial-up connection to disable on-demand dialing.C. Disable data encryption in the new dial-up connection. D. Use the ipconfig command to release and renew your network TCP/P address.ANS: A(Why? Search for "Internet connection sharing" (ICS) on the W2KServer online help. Quoting from there: "When you enable Internet connection sharing, the adapter connected to the home or small office network is given a new static IP address configuration. Consequently, TCP/IP connections established between any small office or home office computer and the Internet connection sharing computer at the time of enabling Internet connection sharing are lost and need to be reestablished. Also: "To use the Internet connection sharing feature, users on your home office or small office network must configure TCP/IP on their local area connection to obtain an IP address automatically." What this means; the ICS machine becomes the DHCP provider for the network and will assign itself the IP 192.168.0.1. If you use the IPCONFIG command to release and renew your network TCP/P address, it will assign itself the same IP and

Page 28: Interview Questions Dump

will wait for the other machines to be set properly to assign them IP addresses. Since none of the options talk about configuring the TCP/IP connection on all the other machines to obtain an IP addressautomatically, only answer A is correct.)8. You want to use RIS to install windows 2000 Prof to 2 systems. You open the exhibit and notice that you have Active Directory (AD), a RIS server and a DNS server. The PC's are PXE capable, but they cannot connect to the RIS Server. WHY? (Drag and place figure, and select the missing server)A. The DHCP server is missing Explanation: The Remote Installation Service environment consists of several technologies and services within a network containing an existing Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), RIS server and Active Directory. You use the Pre-Boot eXecution Environment (PXE) DHCP-based remote boot technology to install the operating system on the client computer from a remote source. The remote source-the Remote Installation Services server-contains the operating system image to be installed in either compact disc (CD) or Remote Installation Preparation wizard (RIPrep) image format. The CD-based option is similar to setting up a client directly from the Windows 2000 Professional CD, except that the source files reside on an available Remote Installation Services server. You use the RIPrep option if you want to install and configure a client computer to comply with specific corporate desktop standards that are unique to the organizationAns: A9. You want to install windows2000 professional on 30 PXE-compliant computers and 35 non-PXE-compliant computers. All 65 computers are included on the current hardware compatibility list (HCL). You create a RIS image. You load the Image on the RIS server. You then start the 65 computers. You find that the 30 PXE-Compliant computers can connect to the RIS server. However, the 35 non-PXE-compliant computers have to connect to the RIS server. What should you do? A. Run Rbfg.exe to create a Non-PXE-compliant startup disk B. Run Riprep.exe to create a non-PXE complaint startup disk C. Grant the everyone group NTFS Read permission for the RIS image D. Grant the Administrators group NTFS Read permission for the RIS image Ans: A10. You have laptop with a smart card and a certificate enable. Create a dialup and must choose the correct protocol for authentication. A. EAPAns: A 11. Question about RRAS and enabling "Smart Card Support". It shows an exhibit of the RRAS Authentication screen. (Choose all that apply)A. Use Extensible Authentication Protocol (EAP)B. Unencrypted password (PAP)C. Shiva Password Authentication Protocol (SPAP)D. Challenge Handshake Authentication Protocol (CHAP)E. Microsoft CHAP (MS-CHAP)F. Microsoft CHAP Version 2 (MS-CHAP v2)G. For MS-CHAP based protocols; automatically use my Windows logon name and password (and domain, if any)ANS: A CHOOSE THE EAP only. (For Smart Cards all you need is EAP. Once you

Page 29: Interview Questions Dump

click on the EAP button, all other options are disable by default.)12. You install Windows 2000 professional on your computer at home. You create a new dial-up connection to connect to your company's remote access server. You configure the connection to use both of your external modems and to use multi-link to bind the modems together. You start the dial-up connection and connect to the remote access server. You notice that only one of the modems is connected to the remote access server. What should you do? A. Configure the dial-up connection to use a SLIP connectionB. Configure the company's remote access server to accept multi-link connections C. Replace your modems with new modems that support multi-link D. Grant your user account multi-link permission on the company's remote accessANS: B13. You are creating a dial-up connection for Internet access. The wizard cannot access the default Internet Service Providers (ISP) with either of the numbers provided. What is your alternate method for setting up the connection?A. Configure the dial-up connection to negotiate with the server using Challenge-Handshake Authentication Protocol (CHAP).B. You can choose the option to set up the Internet connection manually if you know the ISP's phone number and your account and password already.C. You need to provide a known IP address before attempting to connect to the ISP server.D. Your ISP is requiring Data Encryption. Configure the dial-up connection to use it.ANS: B14. You are the admin for your company network. You have identical machines with W2Kpro that are used by your telemarketing employees. They use any of the machines at any time. You want them to use the company's standards desktop settings when they log into the PC, but you want to allow them to change settings while they are working with the PCs. What to do?A. Enable mandatory profiles.Ans: A15. You are the administrator of your company's network. You configure a local group named accounting to have a mandatory user profile. The mandatory profile has been configured to include a custom logo that was saved with 16-bit color and 1025x768 resolution. Some of the Windows 2000 Professional computers in the accounting department have standard VGA video adapters, and others have SVGA video adapters. Several users report that when they log on to certain Windows 2000 Professional computers, the custom bitmap becomes very pixilated and distorted, and does not reflect the proper color depth. You want users to be able to correctly view the custom bitmap on any computer in the accounting department. What should you do? A. Change the custom bitmap to a 16-color bitmap that has 640x480 resolution, and reconfigure the mandatory user profile. Ans: A16. You install a PNP USB device on a portable running W2KPro but it is

Page 30: Interview Questions Dump

not detected. You them install the same device on a PC running W2KPro and it detects the USB device. What to do to enable the portable to detect the device?A. Request new BIOS from the hardware manufacturer to enable USBAns: A 17. You are the Administrator of your company's network. You install Windows 2000 Professional onto 10 Computers in the Graphics-Department. The 10 Computers have built in USB-Controllers. You then physically install new USB-Tablet devices on each of the 10 Computers. You are prompted for the Tablet-Software. You install the Tablet-Software and a Tablet-Icon appears in the control panel to configure the device, but the device does not work. You view Device Manager as in the "Exhibit", but no USB device are displayed (Click the "Exhibit" Button). You want the USB-Tablets to work on all 10 Computers. What should you do? A. Disable USB error detection for the USB Root-Hub-Controller and enable USB-Tablet device in hardware profile. B. Reinstall the USB device drivers and disable the USB error detection. C. Enable the USB Root-Hub-Controller and reinstall the USB-Tablet device driver. D. Enable the USB ports in the Computer BIOS and reinstall the USB-Tablet device drivers. Ans: D 18. You have 3 drives: 0,1,2. You want to put 98 on 0 and w2kp on 1 you want to put files on 2 that can be accessed from both, open the exhibit and place so fat 32 on 0 and 2, NTFS on 1. The question gives some stuff about needing to have NTFS features on drive 1A. DRIVE 0 = FAT32, DRIVE 1 = NTFS, DRIVE 2 = FAT32 Ans: A19. You are the administrator of your company's network. Your network has 75 windows 2000 professional computers and eight Windows 2000 Server computers. Users on the network drive save their work files in home folders on a network server. The NTFS partition that contains the home folders has Encrypting File System (EFS) enabled. The partition also has disk quotas defined. A user named Candy reports that she cannot save any files to her home folder. She also cannot update files in her home folder. When she attempts to save files to the folder she receives the following error message "insufficient disk space". Other users are not experiencing this problem with their home folders. You want to enable Candy to save files in her home folder. What should you do? A. Log on to the network as a Recovery Agent. Decrypt all of candy's files in her home folder.B. Log on to the network by using the domain Administrator account. Grant Candy Full control permission to her home folder. C. Use Windows Backup to archive and remove old files on the server. D. Increase the server a disk quota entry for Candy to accommodate the additional files.ANS: D20. You encrypt three files to ensure the security of the files. You want to make a backup copy of the three files and maintain security setting. You have the option of backing up to either the network or a floppy disk. What should you do?

Page 31: Interview Questions Dump

A. Copy the files to a network share on a NTFS volume. Do nothing further.B. Copy the files to a network share on a FAT32 volume. Do nothing further. C. Copy the files to a floppy disk that has been formatted by using Windows 2000 Professional. Do nothing further. D. Place the files in an encrypted folder. Then copy the folder to a floppy disk. ANS: A (Only NTFS keeps encryption)21. Kevin, the Software Developer of Perfect Solution Inc., recently left the job. The company's Administrator moves all of his home folder files to his Manager's home folder. The NTFS partition that contains the home folders has the Encrypting File System (EFS) enabled. When the Manager attempts to open Kevin's files, he is denied access. What should be done, so that the Manager can access those files with least administrative burden?

A. Grant the Manager NTFS Full Control (FC) permission to the files. B. Grant the Manager the NTFS Take Ownership (TO) permission to the files. C. Logon to the network as a Recovery Agent. Decrypt the files for the Manager. D. Logon to the network as a member of Backup Operators group. Decrypt the files for the Manager.ANS: C (Why? Because only the user that created the EFS file or the Recovery agent can decrypt EFS files. Nobody else, it doesn't matter if you give them FC or TO)22. You have a 2 MB Windows bitmap. You have compression enabled on Drive c: The file has been compressed to 1 MB. You try to copy the file to a floppy disk but you get the message "insufficient disk space." How can you copy the file to the disk?A. Compress the bitmap with a compression program then transfer it to the "a" drive. (Also could said; "Use the COMPRESS.EXE file (from the W2K Resource kit) to compress the file and put it on a floppy." The EXPAND.EXE file located in %systemroot%system32 is used to expand them back into W2K from a floppy.)Ans: A23. You have a PC with one drive and one volume, which has a NTFS folder called Sales, which is compressed. You also have a folder called CORP, which is not compressed. You want to place Sales under Corp, still compressed, and have a backup of Sales in case something goes wrong. What should you do? A. Backup the sales folder to an NTFS volume, and move Sales under Corp. (One more option they had given -- Move sales under Corp in the NTFS vol. - but backup not mentioned) Ans: A24. You set up scheduled tasks to run and notify you of any failures. 3 days later you see that none of the tasks ran and you received no notifications. What to do?a. Set the schedule service to run under the administrator account.b. Set the scheduled tasks to run under the administrator account.c. Enable the messenger serviced. d. Set the schedule service to run under the local system account and set

Page 32: Interview Questions Dump

it to start automatically.ANS: D because the schedule service wasn't running, the jobs never ran and therefore didn't notify you of an error because they never ran in the first place.25. You have a W2K machine with a Pentium II 400 MHz that has a graphics program. When the program is running, performance is degraded. You look at the exhibit, which displays some counters. You notice that the Processor: %Processor Time is most of the time in 100% and another counter related to the processor is also high (don't remember which). The other counters are within normal (learn all of them). What to do?A. Add another Pentium II 400 MHz processor.Ans: A26. You have 10 win2k Professional computer in your company. You are the administrator and want your clients to use Internet in your network. But your budget is low. How can you accomplish this in windows 2000 professional environment? (Choose all that apply)A. 1) Install the modem on a W2K pro PC2) Create a dial-up connection for the ISP 2) Enable Internet connection sharing 3) Enable the option to dial-up on demand on the others computers Ans: A27. Question about three 16-bit programs, one collects data, the other is a data analysis program that communicates through OLE with the graphics program, which displays data in realtime. Machine has only one processor and performance is not good. You add a second processor, which is setup and displays in the device manager. Even though, the apps run only in one processor and performance is slow. What to do? (Choose only 2) (Study this, NOT SURE about the wording here but just to give you an idea, i think I got this wrong.)A. a) Configure the graphics program to run in its own (VDM).b) Configure the programs that collect data and analyses data with affinity 0 for processor 1, configure the graphics program with affinity 1 for processor 2.Ans: A28. You have an 18 GB SCSI hard drive. W2K is installed on it. You add a new ATA-100 hard drive and a controller. After reboot, both drives are detected but you get an error saying "No OS detected". What to do to be able to boot to W2K with boot drives connected? (They gave 4 possible choices, three of them were absolutely wrong, only the want below was a logical and duable answer)A. Disconnect the ATA-100 drive and boot to W2K. Insert a floppy disk and format it. Copy the boot files from the SCSI drive to the floppy and shutdown. Reconnect the ATA-100 drive. Boot from the floppy into W2K and format the ATA-100 drive. Copy the boot files from the floppy into the ATA-100 drive.Ans: A29. You take backups of your hard drives every night. On Thursday morning you see that the hard disk has crashed. The EXIHIBT SHOWS The backup log as follows:

Page 33: Interview Questions Dump

Friday - normal backup, completed Saturday - incremental backup, completed Sunday - incremental backup, completed Monday - incremental backup, completed Tuesday - incremental backup, terminated incomplete (but some files get backup)Wednesday - incremental backup, complete What should you do? A.Restore fri, sat, sun, mon, tue, wed which will restore current data as of Wed. Ans: A30. (Similar questions to this one - same answer) You are the administrator of a Windows 2000 network that has 1,500 Windows 2000 Professional computers. Microsoft Office 2000 was assigned to all the computers on the network by using Group Policy object (GPO). You deploy the Office 2000 service release to all Windows 2000 Professional computers on the network. The service release, in addition to other software that had been assigned, fails to install on only one of the computers. What should you do? a. Re-deploy the service release by using a .Zap file. b. ......... mst file. c. Restart windows installer on the do main controller. d. Restart windows installer on the computers that failed to install the service release.ANS: D31. You are using Windows Installer to deploy an application to 750 Windows 2000 Professional Computers on your network. The network includes an organizational unit (OU) named Sales. A Group Policy object is created for the Sales OU. The software deployment of the application is unsuccessful. During the deployment, some users in the Sales OU report that the installation is aborting with random errors midway through the installation process. The remaining users in the sales OU report that the software is installing, but is giving them general protection fault errors. What should you do? A. Repackage and re-deploy the application's .msi file for the Sales OU. B. Repackage and re-deploy the application's .mst file for the Sales OU. C. Re-deploy the application by using the Group Policy object for the Sales OU.D. Restart Windows Installer on all Computers in the Sales OU. Then re-deploy the application's .zap file to the Sales OU.ANS: A This is the true answer, because you can only use .mst together with .msi, not by themselves. Look it up.32. Based on the exhibit: three computers pc1, pc2, pc3 and a DHCP server on the sales segment of the network, configured to get IP settings automatically. The pc1, pc2, and the DHCP server all have TCP/IP and have IP addresses (192.168.10.31, -32, -34), subnet mask (255.255.255.0) configured. They all have the wrong default gateway 192.168.10.20, while the router was labeled with 192.168.10.60. PC1, PC2, and the DHCP server also have NWLINK 802.2. PC3 has NWLINK 802.3 only, no IP. Then, there is a router. The development segment is at the other side of the router and was

Page 34: Interview Questions Dump

configured with IP address 192.168.10.x, subnet mask (255.255.255.0), and default gateway that match the router. PC1 and PC2 couldn't see computers on the development segment, PC3 couldn't see anybody. What should you do to make everybody on both subnets can see everybody else on both subnets (select 2).A. Change the IP configuration on the DHCP server on the Sales subnet to have the right default gateway address. B. Install TCP/IP with default settings on PC3. Ans: A, B33. You want to install Win2K PRO on X new computers on your company's network. You first install Win2K PRO on one of the new computers. You log on to the computer by using local admin account. You install MS Office 97, a virus scanner, and other company standard applications. You then create a RIS image of the computer you configured. You want to configure the RIS image so that the standard applications will be accessible to the user when the user first logs on to the network. What should you do? a) Run RBFG.exe before installing the standard apps b) Run RIPREP.exe before installing the standard apps c) Copy the ALL USERS profile to the DEFAULT users profile d) Copy the LOCAL ADMINISTRATOR account profile to the DEFAULT user profile Ans: D Correct answer is D, when you set up the apps as a Local Administrator, depending on the apps, some shortcuts will be placed on the All Users profile (like MS Office 97) and others will be placed only in the Local Administrator profile. If you copy the Local Administrator profile, the custom settings (shortcuts) installed under this profile will be copied to the Default Users Profile, and thus available when new user are setup on the PC's. Use Control Panel --> System --> User profiles tab to copy the profile. The copied files will inherit the permissions setting for Default User folder. Remember the only things that you are providing here are shortcuts; you are NOT providing permissions or rights here. Those are controlled by NTFS permissions and group rights assignments. The All Users Profile is just that what it says for "ALL USERS", so it will be saved on the RIS image and deployed to the new PC's, this will include all the shortcuts associated with it. Check the study guide for W2KPRo on BrainBuzz.com, also look on (assuming C is your W2KPro drive) C:Documents and Settings and check the different entries for the standards profiles. Especially on the Start Menu --> Programs area.34. You are trying to copy big files from a UNIX server to WIN2K computer (running TCP/IP). You do the copy in explorer. The files are 100 MB each, and you need to copy 20 of them. The copying always aborts. What should you do to resolve the problem? A. Install network monitor agent, use performance console and review all counters for TCP/IP. B. Install network monitor agent, use performance console and review Fragmented Datagrams/Sec. C. Install SNMP and monitor TCP/IP counters. D. Install simple TCP/IP protocol and monitor Fragmented Data ans: B 35. You are performing a Weekly backup and you want to be sure that you

Page 35: Interview Questions Dump

backup everything including the registry, boot files, and COMA. Configure the backup to backup the system state areaB. Configure the backup to backup the system partitionC. Create a batch file to run RDISK.EXE /s-before backup startsD. Create a batch file to run RDISK.EXE /s- after backup is startedAnswer: A36. You take backups of your hard drives every night. On Thursday morning you see that the hard disk has crashed. The EXIHIBT SHOWS The backup log as follows: Friday - normal backup, completed Saturday - incremental backup, completed Sunday - incremental backup, completed Monday - incremental backup, completed Tuesday - incremental backup, incomplete Wednesday - incremental backup, complete What should you do? A. Restore fri, sat, sun, mon, and wed Ans: A37. You have two drives in a PC. You want to make sure that you are

prepared in case of disk failure. System and boot partition must be backed up. How do you do it?A. Configure the backup to backup the system state areaB. Run weekly backup it will take care of backing up these filesC. Create a batch file to run RDISK.EXE /s-before backup startsD. Create a batch file to run RDISK.EXE /s- after backup is startedAnswer: A38. You are the administrator of your company's network. You want to deploy a Windows 2000 Professional service pack to 10 computers in the Development organizational unit (OU). You create a Windows Installer package file for the service pack. You use the package file to successfully install the service pack to other computers in the domain. You assign the package file to the Development OU. After the installation, you notice that the service pack was not installed on any of the 10 computers. You want to ensure that the service pack is successfully installed on the Computers in the Development OU. What should you do?A. Use Computer Management to start the Windows Installer service on all of the computers in the Development OU.B. Use the local Administrator account to log on to the Computers in the Development OU. Then redeploys the service pack to the computers in the Development OU.C. Run WinINSTALL LE to repair the package file. Then redeploys the service pack to the computers in the Development OU.D. Add the user accounts from the Development OU to the DACL. Grant the user accounts Read permission to the service pack deployment directory.ANS: D Search for "Windows Installer" and see the "Best Practices" sections on W2KPro and W2KServer Online Help

39. You are the administrator of a Windows 2000 domain. You develop a graphics software application to users in the Graphics organizational unit

Page 36: Interview Questions Dump

(OU). You want to create a custom installation for three users named Carlos, Carmen, and Maria, who are members of the Graphics OU. You want these three users to be able to access additional text, filters, and other graphics options for the software. What should you do?A. Create the Graphic Users OU in the domain. Add a custom .msi file to the Graphics OU.B. Create the Graphic Users OU in the domain. Add a custom .mst file to the Graphics OU.C. Create the Advanced Software OU within the Graphics OU, and add Carlos, Carmen, and Maria. Create an .msi file, including changes, and apply the modifications to the Advanced Software OU.D. Create the Advanced Software OU within the Graphics OU, and add Carlos. Carmen, and Maria. Create an: mst file, including changes, and apply the modifications to the Advanced Software OU.ANS: D

40. You have recently deployed an application to several hundred Windows 2000 Professional computers on your company's network. However, you were just made aware that there is a patch available for the application and you would like to apply this to all of the computers to which the application was deployed. Which of the following represents that correct way to do this?A. Replace the .msi file on the network server with a new .msi file. Restart the Windows Installer service on all of the clients.B. Replace the .msi file on the network server with a .msp file. Restart the Windows Installer service on all of the clients.C. Replace the .msi file on the network server with a .mst file. Restart the Windows Installer service on all of the clients.D. Use the msiexec command to specify the location of a .msp file. Redeploy the application through Group Policies.E. Use the msiexec command to specify the location of a .mst file. Redeploy the application through Group Policies.Answer: D Search Knowledge base for "How to Patch a Software Installation Stored on a Network Server That Is Deployed Using Microsoft Software Installer"

41. You are the administrator of a Windows 2000 network that has 1,500Windows 2000 Professional computers. Microsoft Office 2000 was assigned to all the computers on the network by using Group Policy object (GPO). You deploy the Office 2000 service release to all Windows 2000 Professional computers on the network. The service release, in addition to other software that had been assigned, fails to install on only one of the computers. What should you do? a. Re-deploy the service release by using a .Zap file. b. ......... mst file. c. Restart windows installer on the do main controller. d. Restart windows installer on the computers that failed to install the service release. ANS: D

Page 37: Interview Questions Dump

42. You are deploying an application using windows 2000 (Windows 2000 Service pack). When Users try to install it the installation fails. What do you need to do in order correct the situation?A. Re-deploy the .msi fileB. Re-deploy the .mst fileC. Re-deploy using the .zap fileAns: A

43. You are using Windows Installer to deploy an application to 750 Windows 2000 Professional Computers on your network. The network includes an organizational unit (OU) named Sales. A Group Policy object is created for the Sales OU. The software deployment of the application is unsuccessful. During the deployment, some users in the Sales OU report that the installation is aborting with random errors midway through the installation process. The remaining users in the sales OU report that the software is installing, but is giving them general protection fault errors. What should you do?

A. Repackage and re-deploy the application's .msi file for the Sales OU. B. Repackage and re-deploy the application's .mst file for the Sales OU. C. Re-deploy the application by using the Group Policy object for the Sales OU.D. Restart Windows Installer on all Computers in the Sales OU. Then re-deploy the application's .zap file to the Sales OU.ANS: A This is the true answer, because you can only use .mst together with .msi, not by themselves. Look it up.

44. You are the administrator for a network supporting win2000 active directory services. You want to use windows installer to deploy applications on computers running win2000pro while achieving these desired results: A. The software should appear as though it has been installed but it should not actually be installed until users attempt to run the application.B. The application should always be available to roaming users who log on to several different computers in a typical workday.C. If the software is deleted for any reason it should be reinstalled at logon.D. Only authorized users should be allowed to run the application. Your proposed solution is to assign the software package to the users in the appropriate OU. Which result does the proposed solution provide? (Choose 3)ANSWER: A, B, C

45. Your desktop Computer has Windows 2000 Professional installed. You create a new dial-up connection to connect to the Internet. You configure the Internet connection to enable Internet Connection Sharing. After you configure the connection, you cannot see or connect to any shared resources on your local network. You want your computer to be able to

Page 38: Interview Questions Dump

connect to shared resources. What should you do?A. Configure the dial-up connection to disable shared access.B. Configure the dial-up connection to disable on-demand dialing.C. Disable data encryption in the new dial-up connection. D. Use the ipconfig command to release and renew your network TCP/P address.ANS: AWhy? Search for "Internet connection sharing" (ICS) on the

W2KServer online help. Quoting from there: "When you enable Internet connection sharing, the adapter connected to the home or small office network is given a new static IP address configuration. Consequently, TCP/IP connections established between any small office or home office computer and the Internet connection sharing computer at the time of enabling Internet connection sharing are lost and need to be reestablished. Also: "To use the Internet connection sharing feature, users on your home office or small office network must configure TCP/IP on their local area connection to obtain an IP address automatically." What this means; the ICS machine becomes the DHCP provider for the network and will assign itself the IP 192.168.0.1. If you use the IPCONFIG command to release and renew your network TCP/P address, it will assign itself the same IP and will wait for the other machines to be set properly to assign them IP addresses. Since none of the options talk about configuring the TCP/IP connection on all the other machines to obtain an IP address automatically, only answer A is correct.)

46. You are creating a shared Internet connection on your W2P. You want to enable other computer on the LAN to be able to connect only through HTTP and FTP site in the Internet. (Check all that apply) A. Configure shared Internet connection to disable LCP extension. B. Configure shared Internet connection to disable on demand dialing C. Create an Internet connection sharing application type for HTTP to use remote server port 25 D. Create an Internet connection sharing application type for HTTP to use remote server port 80 E. Create an Internet connection sharing application type for FTP to use remote server port 21 F. Create an Internet connection sharing application type for FTP to use remote server port 72 ANS: D,E47. You want your clients to use the Internet in your network but your budget is low. How can you accomplish this with one 56K modem and a dial-up connection to the ISP?A. Enable Internet Connection Sharing, and install the modem on a one W2K Professional PC and create a dial-up for the ISP. Ans: A48. You have 10 win2k Professional computer in your company. You are the administrator and want your clients to use Internet in your network. But your budget is low. How can you accomplish this in windows 2000 professional environment? A. Set the Internet connection share and select the option to dial-up on

Page 39: Interview Questions Dump

demand, and install the modem on a W2K pro PC and create a dial-up for the ISP. Ans: A49. You have ten computers in your organization that are not connected to the Internet. The company breaks down and purchases a 56K modem to connect to the Internet. You implement Internet connectivity sharing. Now you can't see any of the other computers on your network. What do you do?A. Disable Internet Connection Sharing.B. Use IPCONFIG to release and to renewC. Disable dial on demand. ANS: A (Variation of #1 above)50. You want to create a shared Internet connection, but the users shouldn't have any permission except http and ftp-site.a. Enable HTTP-port 80 and FTP-port21ANS: A learn also that Telnet is port 23, POP3 is port 110, and SMTP is port 2551. You create a shared Internet connection on a Windows 2000 Professional computer. Your network has 10 users on the LAN. All of the users can connect to HTTP sites, FTP sites, and streaming audio content on the Internet. One of the computers on your LAN is running an FTP host application. Users on the Internet cannot connect to the FTP host on your network. What should you do?A. Configure the FTP host to accept incoming requests on service port 80.B. Configure an Internet Connection Sharing application type for FTP to use remote server port 23.C. Configure an Internet Connection Sharing service type for FTP use service port 21 on the FTP host computer.D. Configure an Internet Connection Sharing service type for FTP use service port 23 on the FTP host computer.ANS: C52. Your graphic department just got several new dual processor computers to replace the old single processor computers. The graphic department runs variety of DOS, Win16, and Win32 applications. After upgrading to new computers, users in the graphic department tell you when they are running Win16 applications; they did not see any improvement. What should you do?A. Upgrade the Win16 applications with Win32 version.Ans: A

53. You are preparing to install Windows 2000 Professional on 100 MPS-compliant computers. Each computer has two 550-MHz processors. The Computers are configured identically. You want to use one of the computers as a reference computer for deploying Windows 2000 Professional to the remaining Computers. You install Windows 2000 Professional on the reference computer. You view Device Manager and notice that the drivers for the second processor are not installed. You want to add support for the second processor on the remaining 99 computers. You want to accomplish this with the least amount of administrative effort. What should you do?A. Use Setup Manager to configure the reference computer, and then create a disk image.B. Use the System Preparation Tool with the -pnp parameter to set up the reference disk, and then create a disk image.

Page 40: Interview Questions Dump

C. Use Device Manager to add the appropriate hardware abstraction layer (HAL) to the reference computer to support the second processor, and then Create a disk image.D. After imaging the reference computer, restart the reference computer in safe mode and add the driver for the second processor.ANS: C

54. You install a new 2nd processor to your system, but your system is still slow. You check the performance log and see that the 1st processor is overloaded. What should you do to make your system use both processors? A. install the MPS driver for the second processor via the device manager for the new processor Ans: A55. You are an administrator that has just received in 100 PC's with Windows 98 on them. They also have Dual 500Mhz processors on them. You decide that you want to upgrade them all up to Windows 2000 Professional. After running set up on a machine, you realize that only one of the processors is being seen by the OS what do you do next?A. Run sysprep.exe update the machines after deploymentB. Run sysprep.exe with -pnp optionC. On the test machine update use device manager to update the system to recognize the second processor. Then run sysprep.exe.ANS: C56. You need to upgrade 6 MPS computers from NT to W2K. Each machine has two CPUs. After the upgrade performance is slow. What to do? a) Enable AGP Bridge Controller.b) Install the MPS-compliant drivers for the 2nd processor using Device Manager.c) Install the ACPI-compliant drivers for the 2nd processor using Device Manager.d) During startup, press F8 and install the MPS-compliant drivers for the 2 CPU.ANS: B57. Someone is reading your Word documents. How should you setup auditing? A. Use explorer to enable file auditing, and change the local policy to record successful events on objects. The options were:-Use Explorer to enable file auditing of your files-Enable successful auditing of object access-Enable failed auditing of object access-Enable successful auditing of processes-Enable failed auditing of processesAns: A58. You have a share on your local computer. Someone has been intentionally damaging your files. You want to be able to know which account is doing this. What do you do? A. Turn on auditing for objects in the Local Security Policy and Select. B. Use Windows Explorer to turn on auditing for the specific files. ANS: A,B59. You use a shared Windows 2000 Professional Computer. You notice, that some of your Microsoft Word documents that were on the local hard drive

Page 41: Interview Questions Dump

have been deleted. You restore the documents from a recent backup. You want to be able to track all users who access your Word documents in the future. What should you do? (Choose two.)A. Enable the local Group Policy for auditing object access events that are successful.B. Enable the local Group Policy for auditing object access events that are unsuccessful.C. Enable the local Group Policy for auditing process tracking events that are successful.D. Enable the local Group Policy for auditing process tracking events that are unsuccessful.E. Use Windows 2000 Explorer to enable auditing for your files.F. Run the diskperf-y command. Use System Monitor to examine the logical I/O counter. Restart the Computer.Ans: A, E60. You want to remove the logoff option from your screen. What TWO places can you do this from?A. Local PolicyB. Group policyAns: A, B61. You are delegated administrative control of the graphics organizational unit (OU). You install Windows 2000 Professional on 25 PXE-compliant computers in the Graphics OU by using disk-duplicating software. The reference Computer was configured to have Windows 2000 Professional default desktop settings. Users in the Graphics OU have home folders specified in their user account settings. The home folders are located on the \ServerlUsers network share. You want to change the default path of the users My Documents folders to their respective home folders whenever users log on to the network. You want to accomplish this with the least amount of administrative effort. What should you do?A. In the properties of the My Documents folder, select Move, and define the UNC path \ServerlUsers.B. Reconfigure each domain user account properties on the Profile tab, and define the UNC path \ServerlUsers.C. Enable a Local Computer Policy to redirect the My Documents folder, and define the UNC path \Server 1 Users\%Username%.D. Create a Group Policy object for the Graphics OU to redirect the My Documents folder, and define the UNC path \ServerlUsers\%Username%.ANS: D62. You are the administrator of your company's network. You want to configure a Security Policy for the Windows 2000 Professional Computers that are in the sales department. On one of the computers, you use Security Templates to configure the Security Policy based on the desired security settings. You then export those settings to an .inf file that will be used on all of the Computers in the sales department. You want to configure each Computer to have a customized Security Policy. What should you do?A. Use Secedit.exe to import the security settings from the .inf file to the computers in the sales department.B. Use a text editor to change the default security settings to the desired security settings. Then export those settings to the Computers in

Page 42: Interview Questions Dump

the sales department.C. Create an organizational unit (OU) named Sales. Add the users in the sales department to the Sales OU. Then apply the security template to the users in the Sales OU.D. Create an organizational unit (OU) named Sales. Add the computers in the sales department to the Sales OU. Then apply the security template to computers in the Sales OU.ANS: D63. You are the administrator of a workgroup supporting Windows 2000 Professional computers. You configure the Group Policy by setting the Account lockout duration to 0. What effect will this have?A. Users will never be locked outB. Users will be locked out for 69 days.C. Users will be locked out after one failed logon attempt.D. Users will be locked out indefinitely until the Administrator unlocks the user account.ans: D64. After restarting your Windows 2000 Professional Computer, your Monitor shows a blank blue screen without text and the Computer will not respond to keyboard or mouse commands. You discover that an incorrect driver was just installed. How should you correct the problem?A. Use the "Last Known Good Configuration" to restart you system and correct the problem.B. There is nothing you can do. Reinstall the Operating System.C. Call the manufacturer to request a Windows 2000 compatible driver.D. Use the Emergency-Repair-Disk.Ans: A65. You install an ISA sound card into your Windows 2000 Professional system. The card fails. You reboot and go into safe mode. What do you do?A. Enable driver-signingB. Disable driver-signingC. Disable driver D. Disable using computer managementAns: C66. You installed an ISA SCSI Card (?????? Only Microsoft knows this card.) After restarting your Windows 2000 Professional Computer, your Monitor is a blank screen without text and the Computer will not respond to the keyboard. How should you correct the problem? A. Use the "Last Known Good Configuration" to restart you system and correct the problem. Ans: A67. You install an external SCSI tape drive. The drivers install OK and the system starts up normally. When you reboot the PC later in the afternoon, you get a blue screen. What to do?a. Go into device manager and remove SCSI device.b. Select recovery console and disable the driver with DISABLE commandc. Select safe mode and remove the driverANS: C68. You want to troubleshoot system restoration by starting Windows 2000 Professional in Safe Mode. What should you do after the computer is restarted into Safe Mode? (Choose three.)

Page 43: Interview Questions Dump

a. Run msinfo32b. Run verifierc. Expand Components, and click Problem Devices.d. Expand Software Environment, and click Drivers.e. Expand Hardware Resources, and click Forced Hardware.f. Expand Hardware Resources, and click Conflicts/Sharing.ANS: A, C, F msinfo32 open the System Information window69. Which Windows 2000 Advanced Options menu item would you use if you wanted to load Windows 2000 Professional without the GUI?A. Safe ModeB. Safe Mode with No GUIC. Safe Mode LimitedD. Safe Mode with Command PromptAnswer: D Safe Mode with Command Prompt loads the operating system without the graphical interface. Safe Mode uses a graphical interface. There is no startup option called Safe Mode Limited or Safe Mode with No GUI.70. Which of the following commands or utilities can be used to create an Emergency Repair Disk?A. ERDB. B. RDISKC.C. RDISK32D.D. The Backup utilityAnswer: DThe only utility that can be used to create an Emergency Repair Disk (ERD) is the Backup utility. ERD, RDISK, and RDISK32 do not exist in Windows 2000 Professional.71. What process do you use to restore an ERD?A. Boot with the ERDB. Use the Windows Backup utilityC. Use the Windows 2000 boot diskD. Use the Windows 2000 Professional Setup DisksAnswer: D In order to restore the system using an ERD, you must use the Windows 2000 Professional Setup Disks. ERD Disk is NOT a bootable disk.72. You use Windows 2000 Professional on your desktop Computer. You schedule a task to run an MMC snap-in to perform configuration tasks on other computers. You notice that the task is not completing correctly. You manually start MMC. You add the snap-in. You are then able to successfully run the task. You verify that all of your other tasks are working correctly. You want to enable your tasks to complete successfully. What should you do?A. Use Scheduled Tasks to configure the task to run under the security context of your account.B. Configure the Task Scheduler service account to use a local Administrator account and password.C. Use Computer Management to start the Messenger service and to configure the Messenger service to start automatically.D. Use Computer Management to start the Task Scheduler service and to configure the Task Scheduler service to start automatically.

Page 44: Interview Questions Dump

ANS: A 73. You the administrator logs onto a Windows 2000 professional computer, which is used by different students. User1 is not an administrator. You like to use this account instead of logging on as administrator for security reasons. You want to schedule a task to run a command called ADDUSERS.CMD to add six new users. What do you need to do?Schedule the task to run under an administrator accountb. Log on as Administrator and schedule to run under USER1 c. Take Ownership of ADDUSERS.CMD Answer: A

74. You set up scheduled tasks to run and notify you of any failures. 3 days later you see that none of the tasks ran and you received no notifications. What to do?a. Set the schedule service to run under the administrator account.b. Set the scheduled tasks to run under the administrator account.c. Enable the messenger serviced. Set the schedule service to run under the local system account and set it to start automatically.ANS: C because the schedule service wasn't running, the jobs never ran and therefore didn't notify you of an error because they never ran in the first place.75. Bob is going on a trip with his laptop configured with Windows 2000 professional. He is concerned that he will run out of battery life and his system will crash. He asks you to configure the power savings feature so that when he is not using his laptop, it will save his work and power down. You go into APM options. What should you do next?A. Set the system to hibernation mode to 15 minutesB. Set the system to snooze mode after 15 minutes.Ans: A76. You have a laptop that doesn't shut down at all. It stays on the shutdown screen and even if you try to switch it off, it won't switch off?a. Enable APM in control panel, power options.b. Disable APM in the BIOSc. Enable hibernate in control panel, power optionsANS: A

77. You are the administrator of your company's network. You use Security Templates to configure a Security Policy on the Windows 2000 Professional Computers in the Sales organizational unit (OU). You notice that the Computers in the Sales OU are not downloading the Security Policy settings. On each computer, the Security Policy appears in the Local Computer Policy, but is not listed as the effective policy. You want all computers in the Sales OU to have the Security Policy listed as the effective policy. What should you do?A. Use Security Templates to correct the setting and export the security file.B. Use Security Configuration and Analysis to import the security setting. Then create a Group Policy object (GPO) for the Sales QU.C. Use Secedit /RefreshPolicy Machine_Policy command.D. Use the Basicwk.inf security file settings, save the security file, and

Page 45: Interview Questions Dump

then import the file to the Computers.ANS: C78. You have 30 NT 4 machines and 5 W2kpro machines on your network. You want to share files on the W2kpro machines that only they can access. The NT 4 machines must not be able to access those shared files at all?a. Implement the hisecws.inf templateANS: A 79. You upgrade 5 computers in the Finance Organization (OU) from Win NT workstation 4.0 to W2P. The computers are used by members of the Finance OU to run financial application. All 5 computers are configure to have default security setting. A user named Helene report that she can no longer run the financial application on her W2P computer. Prior to the upgrade, Helene was able to run the financial application on her computer. Helene is a member of the local user group. You want the financial application to run on Helene's computer. What should you do?A. Use computer Management to configure separate memory space for each financial application on Helene's computerB. Use Security Templates to edit the Security Policy to include the financial application on Helene's computer. Then, add Helene's user account to the Power users group on Helene's computer.C. Use Security configurations and Analysis to reconfigure the default security Policy.inf file to allow the financial applications to run on Helene's computerD. Use Secedit.exe to apply the compatws.inf security to Helene's security Policy to loosen the permission for the local group on Helene's computer.ANS: DSee the "Predefined security templates" topic in the W2KServer online help for more info"80. You load NT 4 on C and W2kp on D. You do not want users to save files to D in either operating system, but you do want them to be able to access D. You implement user quotas in W2kp so that users cannot save files to D. When you restart the PC and go into NT4, users can still write to D. What to do?a. Use NT4 NTFS permissions to deny users write access to D:b. Enable EFS on D:c. Format the NT 4 partition and reload NT 4Ans: A81. You have a 2 MB Windows bitmap. You have compression enabled on Drive C; The file has been compressed to 1 MB. You try to copy the file to a floppy disk but you get the message "insufficient disk space." How can you copy the file to the disk?A. Compress the bitmap with a 3rd party compression tool then transfer it to the "a" drive. Ans: A82. You have a NTFS folder called Sales, which is compressed. You also have a folder called CORP, which is not compressed. You want to place Sales under Corp, still compressed, and have a backup of Sales in case something goes wrong. What should you do? A. Backup the sales folder to an NTFS volume, and move Sales under Corp. (One more option they had given -- Move sales under Corp in the NTFS vol. - but backup not mentioned)

Page 46: Interview Questions Dump

Ans: A83. You want to connect to your branch office printer through the browser. Your Windows 2000 Professional computer is running Peer Web Server. You were told the share name of the printer is HPColorL. You are unable to see it when you type its URL. What do you need to do to connect to this printer?A. Double-click the connect hotspot in the left pane of the printer's dialog box to view the printer.B. Ask the branch office administrator to reinstall the printer by using its URL as the port.C. Install Internet Explorer 3.0 or higher on your Windows 2000 Professional.D. Ask the administrator at the branch office to install IIS on the branch server.ANS: D84. You are delegated administrative control of the Finance organizational unit (OU). The Finance department has recently purchased 15 Windows 2000 Professional computers. Each computer has a fax modern. Each computer has the Fax service installed with the default values and settings. A user named Peter reports that he wants to add a fax printer by using the Add Printer wizard, but the wizard is missing from the Printers system folder. What should you do on Peter's computer to allow him to use a fax printer?A. Restart the Fax service.B. Reinstall the Fax service.C. Remove the Local Computer Policy.D. Add Peter to the local Administrator group.ANS: D85. What should you do before you share the printer with other users in the OU?A. Change the LPT port settings to enable legacy plug and play detection on your computer.B. Change the LPT port settings to bi-directional in the Bios on your computer, then reinstall the printer software.C. Connect the printer to another computer in the OU, then install the device driver.D. Obtain and install the WDM-compliant device drivers and printing software for the printer.Answer: D86. How do you move the printer spool to another drive?A. Print Server properties, Advanced tab (To get to this choose Start --> Settings --> Printers. Once the Printers windows opens click File --> Server Properties, this will open the "Print Server Properties" windows, choose the Advanced Tab. Don't fall for the WRONG answer "Printer Properties, Advanced tab")Ans: A87. You are admin of a company. You have a printer named printer 1 on computer 1 and is not on. You have similar device named Printer 2 on computer 2. Users have 3 print jobs that are pending for Printer 1. You want to send the three print jobs to the printer2 on computer2 that are in the computer1 queue. You do not want to have users to re-send these jobs to the printer. How can you accomplish this?

Page 47: Interview Questions Dump

A. Select a second printer port on the printer in computer1 redirect the port to \computer2printer2 Ans: A88. A user prints a lot of small docs by using a network printer. After printing a doc, he gets a short message that the doc is printed completely. How to turn these messages?a. Print server properties, disable " notify when remote documents are printed"b. Print server properties, disable "notify computer, not user, when remote documents are printed"c. Printer properties, disable bi-directional supportANS: A89. A user with installed fax-service isn't able to receive faxes, but to send them. What is the problem?a. Log on to the machine as administrator and enable the fax to receive faxes (this is disabled by default)ANS: A90. You are the administrator of a Windows 2000 professional computer and you have a shared printer. Several dept in your company use the shared printer. The sales dept frequently sends multiple page graphics, which takes long time to print. Users in other dept who have short messages have to wait for a long time to get their documents printed. You want to improve the efficiency of printing for all users who use the shared printer. You want to accomplish this with least amount of administrative effort. What should you do? a. Configure the priority of printer to 50. Add a new printer and set the priority to 1. For the new printer deny the print permission for the users of sales department. b. Configure the priority of printer to 50. Add a new printer and set the priority to 94. For the new printer deny the print permission for users in the sales dept. c. Monitor the print queue and raise the priority for all of the print jobs that are sent by the members who are not members for the sales dept. d. Delete the old printer. Add a new printer and set the priority to a higher value. Pause and print queue only when the graphics intensive jobs are printing. ANS: B 1 is the lowest priority, 99 is the highest91. Your windows 2000 professional computer has 50 MB of free space on drive C and 500MB on drive D. Print jobs are failing because of inadequate space on drive C. You want the print jobs to be able to use the space on the drive D. What should you do? a. From the print server properties dialog box change the location of the spool folder to any existing path on the drive D.b. From the printer properties dialog box, go to the advanced properties option and change the location of the spool folder to D:winntsystem32spool c. Copy the Cwinntsystem32spoolprinter to Dwinntsystem32spoolprinter folder d. Mount drive C as subdirectories on drive DANS: A

Page 48: Interview Questions Dump

don't fall for B, wrong answer92. You have a printer on Computer1 that is shared. Computer2 has an identical shared printer. The printer on Computer1 fails. Users have sent jobs to Computer1 and the jobs are waiting to be printed. How can you print these documents without having the users resubmit the jobs?A. Create another port on the printer on computer1. Assign a UNC name to the port similar to this: \Computer2Printer2.ANS: A93. You're running Windows 2000 professional. You set up a color LaserJet printer on Computer1 and you name it printer 2. You have the same color LaserJet on Computer2; you name this one printer 2. The LaserJet on Computer1 fails. You want to send the three print jobs to the printer on Computer2 that are in the Computer1 queue. You do not want to have users to re-send these jobs to the printer. How can you accomplish this?A. Select a second printer port on the printer in computer1 redirect the port to \computer2printer2B. Physically haul a 120lb printer over to computer1C. Stop and restart the serviceAns: A94. You are a member of the Enterprise Admins group at Trey Research. You create and share a printer named HPColorL2 on a Windows 2000 Server computer named pserver.treyresearch.local. You grant Print permission only to the Domain Local group named CompanySales. Later, you add a new child domain named london.treyresearch.local. Clair Hector is a member of the global group named LondonSales in the london.treyresearch.local domain. Clair reports that she is unable to send a print job to the HPColorL2 printer. You want all members of the LondonSales group to be able to print to the HPColorL2 printer. What should you do? A. Add the LondonSales group to the CompanySales group. B. Add the CompanySales group to the LondonSales group. C. Change the CompanySales group to a universal group. D. Change the LondonSales group to a universal group.NS: A95. You are the administrator of your Company's network. The network has 50 Windows 2000 Professional computers. Each computer has 32 MB of RAM. A user named Susan in the accounting department reports that her Computer performs very slow when she runs the Company's accounts payable application. You suspect that her Computer's RAM is insufficient when other applications are running. You want to find out whether adding more RAM would improve the performance of Susan's Computer. You start the application. What should you do next?A. Use Task Manager to see if memory usage exceeds 32 MB.B. Use Task Manager to see if the peak commit charge exceeds 32 MB.C. Use System Monitor to see if the Processor\%ProcessorTime counter consistently exceeds 50.D. Use System Monitor to see if the MemoryPage Faults per Second counter consistently exceeds 50.ANS: A96. A user name Tom report that application on his W2P computer is running slowly. You notice Tom's computer has 64 MB of RAM and 100 MB of free disk space. What should you do to improve the performance? (Check all that

Page 49: Interview Questions Dump

apply)A. Add Tom to the Power user groupB. Set the total paging file to 75 % of physical memoryC. Perform a disk analysis and use the disk defragmenter if recommendedD. Use Disk cleanup to delete temporary files and unnecessary program filesE. Ensure that the Performance Options windows is optimized for background servicesANS: C, D97. You have a PC on which an application is halting for some reason. You take a look at the task manager and notice there is another application running at Realtime priority. What should you do? A. Decrease the base priority of the application running in Realtime. ANS: A98. Two hard disks, computer runs very slowly. Disk1 contains win2000, where and how do you put the paging file.A. Any partition other then system partition or boot partitionANS: A99. You have two processes running on your computer P1 and P2. You noticed that when you run both of them, P2 always times out, while when you pause/stop P1, P2 runs fine. P1 runs with "realtime" priority and uses 12 threads; P2 runs with "normal" priority" and uses 1 thread. What should you do?A. Decrease the base priority for P1ANS: A100. You want Excel to receive all the processor time possible on your Windows 2000 Professional computer because you are processing some complex formulas. What do you need to change on your system?A. Put the logged-on user in the Power Users group so that system rights will be increased.B. In the System's Environment Variables dialog box, in Control Panel, increase the amount of RAM for user applications.C. Under System's Property sheet found in Control Panel, increase the Paging File initial size to the value currently in the maximum size available in the Performance Options dialog box.D. Under System's Property sheet found in Control Panel, choose the Advanced tab and make sure Applications receive the foreground priority.ANS: D101. You want to configure image color management (ICM) everywhere possible on your new computer. Which devices are configurable for ICM 2.0 on your Windows 2000 Professional computer? (Choose all that apply.)A. Displays B. Tablets C. Printers D. CD-ROM disksE. BarCoders F. Cameras G. DVD disks H. Scanners Ans: A, C, F, H These are the only correct ones, check them out.102. You have Windows 2000 Professional system. It has built in 33.6k modem you installed another 56k modem. Modem 56k is conflicting with 33.6k modem. You only need 56k modem to work. You rebooted the machine in safe mode. Then they show an exhibit. (Choose 2)A. Disable 33.6k modem using computer management.B. Remove 33.6k modem using computer management.

Page 50: Interview Questions Dump

C. No Action Required D. Something else?Answer: A, C103. You are having problems with video during an unattended installation, the screen flickers and blanks out. Place the cross hairs on the line where the problem exists in your unattended.txt file.[Display]BitsPerPel = 8A. Vrefresh = 80 B. Xresolution = 640 C. Yresolution = 480ANS: A104. You install a new CD-ROM. It is not working correctly. You check resources and see that it is not using "Automatic¨ resource settings. How do you get your CDROM to work?A. Check "Use Automatic Settings¨ANS: A105. You are trying to install a plug-and-play printer. During the completion of the install, the following error pops up Plug-n-play printer error 00000007E-293 WINPRINT.DLL modules not found. What can you do?A. Install a WDM compliant driverANS: A106. You are the Administrator of your company's network. You install Windows 2000 Professional onto 10 Computers in the Graphics-Department. The 10 Computers have built in USB-Controllers. You then physically install new USB-Tablet devices on each of the 10 Computers. You are prompted for the Tablet-Software. You install the Tablet-Software and a Tablet-Icon appears in the control panel to configure the device, but the device does not work. You view Device Manager as in the "Exhibit" (Click the "Exhibit" Button). You want the USB-Tablets to work on all 10 Computers. What should you do? A. Disable USB error detection for the USB Root-Hub-Controller and enable USB-Tablet device in hardware profile. B. Reinstall the USB device drivers and disable the USB error detection. C. Enable the USB Root-Hub-Controller and reinstall the USB-Tablet device driver. D. Enable the USB ports in the Computer BIOS and reinstall the USB-Tablet device drivers. Ans: D 107. You have a system with two monitors, both set for 16-bit color and 1024 X 768 resolution. You decide to set up a DOS application in a DOS Virtual Machine Window. Default DOS configuration is in effect (Default autoexec.nt and config.nt) and the default DOS.PIF file is present. You place the shortcut on the first monitor screen. When you open it the screen goes to scramble. You move the shortcut to monitor #2 and launching the app locks. What do you need to do? A. Change both monitors to 256 colors. Configure the application to run full screenB. Change both monitors to run and optima settings. Configure the application to run full screenC. Update the drivers for Video card #1 Change #2 to 640 X 480D. Do something elseAns: A or B (Info here is kind of unclear, but if answer B is to keep the

Page 51: Interview Questions Dump

16-bit color setting and set the DOS app to Full Screen, this is the right answer, you don't need to change the colors setting to 256.)

108. You install a USB scanner but it doesn't work. EXHIBIT shows exclamation mark at Infrared port, but notice that the USB ports are missing!A: Request new BIOS from the hardware manufacturer to enable USB ANS: A109. You install a USB camera, but it doesn't work. The device manager EXIHIBT shows the USB root hub entry missing. What should you do?A. enable the USB port in the BIOS ANS: A110. A mouse driver is not working, then the admin installs a new-signed mouse driver and reboots. After rebooting he looks in the device manager and sees that the old driver is still installed. How does he fix this?a. Use device manager to remove the original driverANS: A If one of the choices is "Add/Remove Hardware", it is better to choose this one because it will remove the device and the drivers from the computer. Device manager will remove the device, but the drivers will remain in the system.111. Some question about a mouse driver not working, then the admin installs a new signed mouse driver and reboots. After rebooting he looks in the device manager and sees that the old driver is still installed. How does he fix this?In other dump, the answer is: Use device manager to remove the original driver. However, in my exam, the answers have something to do with:A. Configure OU policy to allow installation of drivers overwrite Local Policy.B. Configure Domain policy to allow installation of drivers overwrite local policy.C. Configure local policy to allow installation of drivers to overwrite OU policyThe wording is not exact. ANS: A Note that the old mouse driver may have been installed using a local policy, Therefore you have to configure a OU policy which is higher than a local policy to allow installation of drivers to overwrite Local Policy.112. The PC picks up the installed screen card as VGA 16 colors. You cannot change any of the colors or resolution settings. The manufacturer, version, make etc. of the card is not shown. What to do?A. Install a driver for the monitor.B. Install a WDM compliant driver for the screen card and monitor.C. Change the screen card.D. Move the card to another slot.ANS: B 113. You install 10 PC's. 6 PC's have 10/100 UTP/BNC and 4 have UTP card and connect to the network. The PC's have UTP/BNC card don't connect. The others do. What should you do? A. change the settings of PC's with UTP/BNC cards to use the UTP connector ANS: A

Page 52: Interview Questions Dump

114. You install 10 PC's. PC 6 and 8 have a UTP card and connect to the network. The other 7 PC's have UTP/BNC cards but do not connect. What should you do?A: change the settings of PC's with UTP/BNC cards to use the UTP connector.ANS: A 115. You have a 10Mb NIC in your computer. You install a 100Mb network card and restart the computer. The 100mb card is not working due to a conflict with the 10Mb card. You want only the 100Mb card to be active. What should you do? A. disable the 10Mbps card using disable device in the device manager ANS: A 116. You are the administrator of your company's network. You configure a local group named accounting to have a mandatory user profile. The mandatory profile has been configured to include a custom logo that was saved with 16-bit color and 1025x768 resolution. Some of the Windows 2000 Professional computers in the accounting department have standard VGA video adapters, and others have SVGA video adapters. Several users report that when they log on to certain Windows 2000 Professional computers, the custom bitmap becomes very pixilated and distorted, and does not reflect the proper color depth. You want users to be able to correctly view the custom bitmap on any computer in the accounting department. What should you do? A. Change the custom bitmap to a 16-color bitmap that has 640x480 resolution, and reconfigure the mandatory user profile. ANS: A 117. You are configuring a Windows 2000 Server computer as a Routing and Remote Access server for a Branch office. You discover that an incorrect driver was installed during the installation of the modem. You attempt to remove the modem by using Phone and Modem Options in Control Panel. After each attempt to remove the modem by using this method, the computer stops responding. You restart the computer again. You must install the correct driver for the modem as quickly as possible. What should you do? A. Use the Add/Remove Hardware wizard to uninstall the modem. Restart the server. B. Shut down the server, remove the modem card, and restart the server. Shut down the server again, insert the modem card, and restart the server. C. Delete all references to modems in the registry. D. Run the Modem troubleshooter and remove the modem when prompted. Restart the server.ANS: A118. Your Windows 2000 Server computer uses a non-Plug and Play ISA modem configured to use IRQ 5. You add a PCI modem and restart the computer. Device Manager reports an IRQ conflict between the two modems. Both modem are trying to use IRQ 5. You want to resolve the problem. What should you do? A. Use Device Manager to change the IRQ for the original modem to IRQ 9. B. Use Device Manager to change the IRQ for the original modem to IRQ 10. C. Edit the CMOS settings on the computer to reserve IRQ 5 for non-Plug and Play devices.D. Edit the CMOS settings on the computer to reserve IRQ 10 for non-Plug

Page 53: Interview Questions Dump

and Play devices.ANS: C119. Which 3 methods can you use to install a modem under Win2000Pro? (Choose 3)A. Plug in a plug and play modemB. Use the addemove hardware program in control panelC. Use the phone and modem options program in control panel ANS: A, B, C120.You want to view a list of installed multimedia devices, determine driver versions and perform diagnostics. Which interface should you use? A. The hardware tab of the sound and multimedia program in control panelANS: A121. You are the administrator of a Windows 2000 network. Your network includes 75 Windows NT Workstation 4.0 computers. You are adding 50 new PXE-compliant computers to the network. The hardware on each computer is configured identically. You are using a RIS image to deploy Windows 2000 Professional to the 50 computers. You successfully install Windows 2000 Professional on the first 10 computers. However, you cannot install Windows 2000 Professional on the remaining 40 computers. What should you do?A. Configure the DHCP Scope to add additional IP addresses.B. Run Rbfg.exe from the RemotelristallAdmin folder on the RIS server.ANS: A122. You want to install windows2000 professional on 30 PXE-compliant computers and 35 non-PXE-compliant computers. All 65 computers are included on the current hardware compatibility list (HCL). You create a RIS image. You load the Image on the RIS server. You then start the 65 computers. You find that the 30 PXE-Compliant computers can connect to the RIS server. However, the 35 non-PXE-compliant computers have to connect to the RIS server. What should you do? A. Run Rbfg.exe to create a Non-PXE-compliant startup disk B. Run Riprep.exe to create a non-PXE complaint startup disk C. Grant the everyone group NTFS Read permission for the RIS image D. Grant the Administrators group NTFS Read permission for the RIS image Ans: A123. You want to automate the RIS installation of a syspreped image, you copy sysprep.exe and setupcl.exe to a SDD. It doesn't work out as planned. What else to do (Choose 2)a. Copy sysprep.inf to the SDDb. Use the /pnp switch when you run sysprep.exeANS: A, B124. You have a DNS server, Active directory installed, RIS server, and a client computer that meets the net pc specs. The client computer is behind a non bootp (it could say also Non-RFC1542) compliant router. Drag and drop the appropriate items to make it work.A. Win2k Server with RIS installedB. DNS serverC. DHCP server (Authorized in Active Directory)D. Win2k Domain with Active Directory

Page 54: Interview Questions Dump

E. Client computer that meets net pc specsF. Ability of the net pc to reach the DHCP server.Ans: A, B, C, D, E, FYou had to drag the dchp relay agent onto the router and drag a dchp server as well.To answer this question correctly, you need to know what is required to install via a RIS.125. You want to use RIS to install windows 2000 Prof to 25 systems. But your clients cannot connect to your RIS Server. WHY? (Drag and place figure, and select the missing server)A. The DHCP server is missing Explanation: The Remote Installation Service environment consists of several technologies and services within a network containing an existing Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), and Active Directory. You use the Pre-Boot eXecution Environment (PXE) DHCP-based remote boot technology to install the operating system on the client computer from a remote source. The remote source-the Remote Installation Services server-contains the operating system image to be installed in either compact disc (CD) or Remote Installation Preparation wizard (RIPrep) image format. The CD-based option is similar to setting up a client directly from the Windows 2000 Professional CD, except that the source files reside on an available Remote Installation Services server. You use the RIPrep option if you want to install and configure a client computer to comply with specific corporate desktop standards that are unique to the organization Ans: A126. You are the administrator of your company network. Your network is configured as shown in the exhibit. You want to install win 2000 on 10 non-pxe compliant computers on the marketing segment on the network. The 10 computers do not have OS installed. You attempt to load the computers using the RIS image that is on the RIS Server. You find that the computers cannot connect to the RIS Server. You verify that the existing client computers can connect to the server including the RIS Server. You then check the network servers to find out that the Win NT server 4.0 running WINS Server has stopped responding due to HDD failure. You want to enable the computers to connect to the RIS Server. What should you do? Choose two.a. Repair and restore the WINS Server b. Repair the WINS server and update the server to windows 2000 server c. Configure the AD server to run DHCP d. Configure static entry in WINS that points to the RIS Server e. Create and use the RIS boot disk and run riprep.exe to create non-pxe compliant start up disk. ANS: C, D127. You want to install Win2K PRO on X new computers on your company's network. You first install Win2K PRO on one of the new computers. You log on to the computer by using local admin account. You install MS Office 97, a virus scanner, and other company standard applications. You then create a RIS image of the computer you configured. You want to configure the RIS image so that the standard applications will be accessible to the user when the user first logs on to the network. What should you do? a. Run RBFG.exe before installing the standard apps b. Run RIPREP.exe before installing the standard apps

Page 55: Interview Questions Dump

c. Copy the ALL USERS profile to the DEFAULT users profile d. Copy the LOCAL ADMINISTRATOR account profile to the DEFAULT user profile Ans: D 128. You are upgrading 50 Win98 computers to Win2kPro. They all have the exact same hardware and are PXE compliant. The first 10 computers install correctly. How do you install Win2kPro to the rest?A. Change BIOS settingsB. Add more IP addresses in the DHCP serverC. Make startup disks using RBFG.EXEAns: B129. You use Windows 2000 Professional on your desktop Computer. You are working on your company's annual financial report. You want other users on the network to be able to modify your documents for the report. You use Windows Explorer to share the financial report folder on the network. Because the report contains confidential information, you want to prevent users from enabling offline access for the network share that contains the financial report. What should you do?A. Use Windows Explorer to disable Offline Files.B. Use Windows Explorer to disable caching for the reports on the network share.C. Use Windows Explorer to grant users Special access for the reports on the network share.D. Use Synchronization Manager to configure synchronization not to occur when users are connected to the LAN connection.ANS: B130. You are using a Windows 2000 Professional computer. You create a shortcut for a folder named Projects on a network share. You want to make the shortcut to the Projects folder available when you are not connected to the network. You attempt to configure the shortcut to be available offline. However, you do not see an Option to make the folder available offline. What should you do?A. Use Windows Explorer to enable caching for the Projects folder.B. Use Windows Explorer to configure the Projects folder on the network share to be available for offline access.C. Connect to the network before trying to make the shortcut available offline.D. Create shortcuts to each file in the Projects folder, and then make the shortcuts to the files available offline.ANS: A131. You need to share a financial spreadsheet with other employees of your company. The material is of a sensitive nature and you want to prevent the ability of users to use offline caching. How do you do this?A. Assign Special PermissionsB. Select Shared folder properties, caching, deselect "Allow Caching of files in this shared folder¨Ans: B132. You are the administrator of your company's network. A user named Peter runs windows 2000 Professional on his portable computer. Peter wants to be able to work at home on files that were created in the office on the company network. Prior to logging off the network and leaving the office,

Page 56: Interview Questions Dump

Peter enables offline files. Peter calls you from home and reports that copies of his folders and files on the network are not available on his portable computer. What should you instruct peter to do? A. Enable file and print sharing. Peter will be able to access his files at home immediately. B. Synchronize all offline files. Peter will be able to access his files at home immediately. C. At the office, make all files available offline. Peter will be able to access his files the next time he logs off the network. D. At the office, create a shortcut to the Offline Files folder. Peter will be able to access his files the next time he logs off the network.ANS: C133. You are the administrator of your company's network. You receive a request from Stephen's manager to disable Stephen's access to a network share named Financial. Stephen's user account is the only member in a group named Reports. The Reports group has Full Control permission to the Financial share. You delete the Reports group. You later find out that the manager was in error and that Stephen should have his access to Financial share restored. What should you do?A. Re-create Reports and re-create Stephen's user account. Use existing NTFS permissions.B. Re-Create Reports and grant Reports NTFS Full Control permission to Financial. Stephen's user account will still be a member of Reports.C. Re-create Reports and grant Reports Full Control permission to Financial. Add Stephen's user account to Reports.D. Re-Create Reports and add Stephen's existing user account to Reports. Use existing NTFS permissions.ANS: C134. How can you quickly find out the full path descriptions to all of your shares? A. System tools in the computer management tool *** similar question but long one. Ans: A135. Your windows 2000 professional computer has 10-shared folders that are available to other network users. A user reports that he cannot access a shared folder named Share A. You want to respond to the user's problem as quickly as possible by using an administrative tool. However, you cannot remember the server location of Share A. What should you do? a. Use windows explorer to display the file paths of your shared folders. b. Use store it in computer management to view local drive properties. c. Use event viewer in computer management to search for shared folder error messages. d. Use System tools in computer management to display the file paths of your shared folders. Answer: D 136. You are the administrator of your company network. A user name Andrew has limited dexterity which prevents him from using standard keyboard when completing his daily tasks, you configure win 2000 professional to use sticky keys and screen keyboard options. You save the accessibility options to a shared folder on the local hard disk of Andrews's computer. You want to configure the same option for another user Peter, you log on

Page 57: Interview Questions Dump

to Peters computer using his local user account and you access the folder over the network from Peters computer. You select the .acw file from the shared folder to set up Peter's computer to use the accessibility option. You receive an error message as follows: "there was a problem running the file when running the accessibility wizard" what should you do? a. Give the user on the 2nd pc read access to the shared folder on the 1st pcb. Copy the .acw file to c:documents and settingsdefault userc. Copy the file to a SDD and then use it on the 2nd pcANS: A

137. A power surge destroys the hard disk's MBR and causes your Windows 2000 computer fail to boot afterward, how do you fix it?A. Boot with Windows 2000 CD-Rom and select recovery console, use fixmbr command to fix the MBR.Ans: A138. Which command in Recovery console will allow you to disable a service? A. Disable Ans: A139. Your computer has win2000 Professional installed. Your office has a power outrage while you are running win 2000 disk defragmenter, when you start the computer you receive the following message "bad or missing OS". What should you do? a) Start the computer in safe mode and reformat the hard disk b) Start the computer in the debug mode and reformat the hard disk c) Start the computer using the ERD and repair the Master Boot Recordd) Start the computer by using the win2000 professional CD Rom. Then use recovery console to repair the Master Boot Record ANS: D140. You install a ZIP drive into a Windows 2000 system. You install the drivers. On reboot, the system locks. You can't get in, and even safe mode doesn't work. How do you unload the driver to get back in to Windows 2000 professional? (Choose three) A. Go into device manager and remove Zip drive.B. From a command prompt run LISTSVC to disable the zip driverC. From a command prompt run DISABLE to disable the zip driverD. Select recovery console from the repairE. Start the PC from CD-ROMAns: C, D, E141. You work for an accounting firm. Currently all developers are running Windows 98. The company wants to go to Windows 2000 Professional. Programmers are going to need to code in both a Windows 98 environment and a Windows 2000 environment. What platform can you install that will optimize the availability of code to both environments?A. FAT16B. FAT32C. NTFSD. HPFSAns: B142. You have 3 drives: 0,1,2. You want to put 98 on 0 and w2kp on 1 you want to put files on 2 that can be accessed from both, open the exhibit

Page 58: Interview Questions Dump

and place so fat 32 on 0 and 2, NTFS on 1. The question gives some stuff about needing to have NTFS features on drive 1A. DRIVE 0 = FAT32, DRIVE 1 = NTFS, DRIVE 2 = FAT32 Ans: A143. Which of the following volume Property dialog box tabs do you see for FAT32 partitions in the Disk Management utility? Choose all that apply.A. GeneralB. SharingC. SecurityD. QuotaAns: A, B The Security and Quota tabs are only available for NTFS partitions.144. Which of the following statements is true of dynamic disks in Windows 2000 Professional? Choose all that apply.A. Dynamic disks can be recognized by Windows NT 4 or Windows 2000.B. Dynamic disks are only supported by Windows 2000.C. Dynamic disks support features such as simple volumes, extended volumes, spanned volumes, and striped volumes.D. Dynamic disks support features such as simple volumes, extended volumes, spanned volumes, mirrored volumes, and striped volumes.Answer: B, CDynamic disks can only be accessed through Windows 2000. They do not support mirrored volumes in the Professional version of Windows 2000.145. What utility can be used to identify areas of disk space that can be deleted to free additional disk space?A. Disk CleanupB. Disk ManagerC. Disk AdministratorD. Disk DefragmenterAnswer: A The Disk Cleanup utility is used to identify areas of space that may be reclaimed through the deletion of temporary files or Recycle Bin files.146. Scott frequently accesses and updates a large number of files. He is noticing that the larger the files get, the longer it takes to access the files. He suspects that the problem is related to the files being spread over the disk. What utility can be used to store the files sequentially on the disk?A. Disk CleanupB. Disk ManagerC. Disk AdministratorD. Disk DefragmenterAnswer: D The Disk Defragmenter utility is used to rearrange files so that they are stored contiguously on the disk. This optimizes access to those files.147. What steps would you take to access the Disk Defragmenter utility?A. Use Disk AdministratorB. Use Disk Manager

Page 59: Interview Questions Dump

C. Through Programs > Accessories > System ToolsD. Through Programs > Administrative Tools > System ToolsAnswer: C You access the Disk Defragmenter utility through Start > Programs > Accessories > System Tools > Defragmenter.

148. Windows NT 4.0 is currently on the system you are using, and you want to install Windows 2000 Professional. Windows NT 4.0 is currently on an NFTS partition. For some reason you have decided that you are not going to upgrade, but rather, you are going to run this in a dual boot fashion. What do you need to do? A. Can't be done. B. You need to put Windows 2000 on a separate partition from Windows NT 4.0 C. You need to upgrade Windows NT 4.0 to SP4. ANS: C

149. Which of the following files are required to boot the Windows 2000 Professional operating system? Choose all that apply.A. NTLDRB. BOOT.INIC. NTOS.EXED. NTDETECT.COMAnswer: A, B, D The files that are required to boot Windows 2000 are NTLDR, BOOT.INI, NTDETECT.COM, and NTOSKRNL.EXE. There is no boot file called NTOS.EXE.150. Which of the following files loads the Windows 2000 Professional operating system?A. NTLDRB. NTOSKRNL.EXEC. BOOTNT.EXED. NTOS.EXEAnswer: B The NTOSKRNL.EXE file is used to load the Windows 2000 Professional operating system. NTLDR is used to control the Windows 2000 boot process. There is no boot file called BOOTNT.EXE or NTOS.EXE.151. Which of the following options are configured through the BOOT.INI file? Choose all that apply.A. The location of the boot partitionB. The location of the system partitionC. The Windows 2000 boot menuD. The default operating system that should be loadedAnswer: A, C, D The BOOT.INI file specifies the location of the boot partition, the boot menu, and the default operating system that should be loaded. The system partition is specified by the active partition.

152. Which of the following files is used to initialize and start the Windows 2000 boot process?

Page 60: Interview Questions Dump

A. NTLDR B. NTOSKRNL.EXE C. STARTNTD. NTBOOT.EXEAnswer: A When you install Windows 2000, the NTLDR file is copied to the active partition. This file executes when you choose to load the Windows 2000 operating system and is used to initialize the Windows 2000 boot process.

153. Which of the following files is used to build the operating system menu choices that are displayed during the boot process?A. NTLDR B. NTOSKRNL.EXE C. STARTNT D. BOOT.INIAnswer: D The BOOT.INI file is used to build the operating system menu choices that are displayed during the boot process. It is also used to specify the location of the boot Partition.

154. Your computer is configured to dual-boot between Windows 98 and Windows 2000. How would you configure the computer so that Windows 98 would be the default selection if the user did not make a choice within the specified amount of time?A. Through the STARTUP.INI fileB. Through the SYSTEM.INI fileC. Through Control Panel, Startup OptionsD. Through Control Panel, System, Startup and RecoveryAnswer: D Through the System icon in Control Panel, you can access Startup and Recovery options. The Default Operating System option lets you specify which operating system will load if no user selection is made.155. You use slipstreaming to apply a service pack to the installation files for Windows 2000 Professional on your network share. Then, you publish a software application that will be installed by various departments throughout the corporation on their Windows 2000 Professional computers. The application impacts the system state on any computer on which it gets installed from the publication. What must you do about the new service pack?A. The update /slip command will correct the system files that were affected by the installation of the application on each computer receiving the software. It will also apply the service pack from the distribution folder. You need to run update /slip on each Windows 2000 Professional computer of the installed based.B. Windows 2000 knows to automatically reinstall the correct system files that the service pack applied after the software is installed from the publication. You aren't required to do anything.C. The new service pack has not yet been applied to the installed base of Windows 2000 Professional computers, so they don't have it. You must run update on each computer that got a Windows 2000 Professional installation before the service pack was slipstreamed to the installation share.D. You should manage the newly published software application with Windows Installer. Get the .msi from the vendor and reinstall this application on the network share.Ans: C

Page 61: Interview Questions Dump

156. You are preparing an unattended answer file for eight new Windows 2000 Professional computers. The person initiating the setups should not have to answer questions during the installations. How is the license agreement handled?A. You will create the license agreement answer in the [LicenseFilePrintData] section of the answer file.B. Your acceptance of the license agreement answer is included as a switch for winnt32.exe when you are using the Winnt.sif file.C. Your acceptance of the terms of the license agreement is associated during the computer name generation section of the answer file. Then the agreement is tied to each computer installed.D. You will be asked to accept the terms of the license agreement for all unattended installations if you choose the Fully Automated option while preparing the answer file.Ans: D If you are creating a fully unattended install as the question states you MUST agree to the EULA during Setup Manager or you cannot go on. If you don't want to answer any questions during setup there is a parameter that needs to be added to the [Unattended] section that states OemSkipEula=Yes, and a valid value for the ProductID on the [UserData] section needs to be entered. You will have to create 8 different answers file with different Product ID's for the eight computers in this case. If you use only one answer file, all the computers will have the same Product ID. After you create the answer file with the Setup Manager Wizard you can then open it with a text editor and add an entry under the [UserData] section like this:[UserData]FullName = "Your user name"OrgName = "Your organization name";It is recommended that you avoid using spaces in the ComputerName value.ComputerName = "YourComputer_name"; To ensure a fully unattended installation, you must provide a value; for the ProductId key.ProductId = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"

157. You are upgrading a computer from Windows 98 to Windows 2000 Professional. The computer is a 400-Mhz Pentium III, and has 128 MB of RAM nd a 10-GB hard disk. You are performing the installation by using the Windows 2000 Professional CD-ROM. After the text mode installation portion is complete, you restart the computer. The BIOS virus checker on your computer indicates that your computer is infected with a Master Boot Record virus. What should you do before you continue the installation? A. Remove the virus checker in windows 98. B. Disable the BIOS virus checker and restart the computer. C. Run Fixmbr.Exe from the Windows 2000 Professional CD-ROM. D. Modify the Boot.ini from to include a signature parameter on the ARC path of the system partition ANS: B

158. You wish to check and make sure that the hardware that is installed on a client will be compatible with a Windows 2000 professional upgrade. Which of the following will give you this information?A) Run WINNT32.EXE /checkupgradeonlyB) Run WINNT.EXE /checkupgradeonly

Page 62: Interview Questions Dump

C) Run chkdsk.exeD) There is no way to do this other than to take inventory of the hardware installed and verify it on the Hardware Compatibility List (HCL)ANS: A

159. You want to upgrade 150 computers from Windows NT Workstation 4.0 to Windows 2000 Professional. You create a Unattend.txt file by using Setup Manager. You copy the file to a floppy disk. You then start the installation on a test Computer by using the Windows 2000 Professional CD-ROM. You insert the floppy disk after the computer starts. Although you had set the user interaction level to full unattended mode, you are prompted for all the required parameters. You want to ensure that the unattended installation does not prompt you for input. What should you do?A. Add a [Data] section to Unattend.txt, and set the Unattendedlnstall parameter to Yes.B. Add a [Unattend] section to Unattend.txt, and set the OEMPreInstaIl parameter to Yes.C. Rename Unattend.txt on the floppy disk to Winnt.sif.D. Create a $OEM$$l folder on the hard disk of the test Computer, and copy Unattend.txt to the folder.ANS: C

160. You are upgrading two windows NT4 computers to Windows 2000. Computer 1 completes the upgrade with no problems. During the upgrade of computer 2, you experience a power loss and cannot boot into NT4. You want to use Computer 1 to help Computer 2 recover. How can this be done?A. Do an across the network installB. Run MAKEBT32.EXE to make diskettes to start your machine.C. Copy the boot files from computer 1 to a floppy, boot to the floppy and continue the setup of computer2.Ans: B

161. You want to upgrade some PCs in your company. They have different Hardware and use different peripherals. How can you check the compatibility while minimizing your work?a. Install W2k on all the machines and see what happens.b. Copy winnt32.exe to a floppy disk and run it on all the machines with the /checkupgradeonlyQ switch. - This is not a spelling mistake; they actually did put a Q at the end of that switch)c. Use setup manager to create an unattend file, and then modify the WIN9XUPG section.ANS = C (Check the Windows White Paper titled "Upgrading your corporate Windows 9x Desktops to Windows 2000 Professional". Answer B is a catch - typical Microsoft tactics. If you put the winnt32.exe on a floppy and execute it, it won't work. Also, the question here doesn't state anything about Windows 9X system, but based on the choices given here, C is the only answer.)

162. You have acquired a new Pentium III computer with two blank hard drives, a 40X CD Rom drive, an AGP display adapter, and a fast Ethernet network adapter. All hardware is on the HCL. You want to achieve these result:

Page 63: Interview Questions Dump

Install win2000pro on the computerMinimize the time required to install win2000proChoose a file system to enable maximum security of data on the computerHave the computer join your domainYour proposed solution is to start the computer, access the Bios, set the computer to boot from the CD Rom drive, save changes, and restart the computer. When Setup runs, complete the necessary tasks and specify the NTFS partition type. After restarting the computer again, restore the original boot disk configuration in the Bios. When prompted specify the appropriate domain name.Which result does the proposed solution? (Choose 3)A. Win 2000 pro is installed on computerThe specify file system enable security Have the computer join your domainAns: A163. Kevin, the Software Developer of Perfect Solution Inc., recently left the job. The company's Administrator moves all of his home folders files have the Encrypting File System (EFS) enabled. When the Manager attempts to open Kevin's files, he is denied access. What should be done, so that the Manager can access those files with least administrative burden?a. Log on to the network as a Recovery Agent. Decrypt the files for the manager. b. Grant the Manager the NTFS Take Ownership permission to the files.Ans: AWhy? Read the topics "File encryption overview" and "Encrypting File System and data recovery" on the Win2KPro online help. Once a file is encrypted NOBODY else can open it, the only exception is the Recovery Agent who can do it. Even if the manager has the Take Ownership permission he won't be able to open it.)

164. You are the administrator of your company's network. A user named Veronica uses a shared windows 2000 Professional computer. The computer is a member of a workgroup. Veronica has encrypted five files on the computer to ensure the security of the files. Two of these encrypted files are needed for an important meeting. However, Veronica is out of the office until next week. You need access to the files immediately. You also need to ensure that Veronica can log on when she returns. You want to accomplish this with the least amount of administrative effort. You log on to Veronica's computer by using the local Administrator account. What else should you do?A. Open the two files. Do nothing further.B. Turn off encryption for the two files. Do nothing further.C. Backup the two files and then restore them. Turn off encryption on the restored files.D. Change Veronica's password. Log on by using her user name and new password. Then open the two files.ANS: A(In a workgroup environment, the local Administrator is the Recovery Agent by default.)

165. You encrypt three files to ensure the security of the files. You want

Page 64: Interview Questions Dump

to make a backup copy of the three files and maintain security setting. You have the option of backing up to either the network or a floppy disk. What should you do?A. Copy the files to a network share on a NTFS volume. Do nothing further.B. Copy the files to a network share on a FAT32 volume. Do nothing further. C. Copy the files to a floppy disk that has been formatted by using Windows 2000 Professional. Do nothing further. D. Place the files in an encrypted folder. Then copy the folder to a floppy disk. ANS: A Only NTFS keeps encryption

166. You are the administrator of your company's network. Your network has 200 windows 2000 Professional computers and 15 windows 2000 server computers. Users on the network save their work files in home folders on a network server. The NTFS partition that contains the home folders has Encrypting File System (EFS) enabled. A user named John leaves the company. You move all of the files from John's home folder to his manager's folder. When the manager attempts to open any of the files, she receives the following error message; "Access denied." You want the manager to be able to access the files. What should you do?a. Grant the manager NTFS Full control permission to the files. b. Grant the manager NTFS Take Ownership permission the files. c. Log on to the network as a Recovery Agent. Decrypt the files for the manager. d. Log on to the network as a member of the Backup Operators Group. Decrypt the fields for the manger. ANS: C167. Kevin, the Software Developer of Perfect Solution Inc., recently left the job. The company's Administrator moves all of his home folder files to his Manager's home folder. The NTFS partition that contains the home folders has the Encrypting File System (EFS) enabled. When the Manager attempts to open Kevin's files, he is denied access. What should be done, so that the Manager can access those files with least administrative burden? A. Grant the Manager NTFS Full Control permission to the files. B. Grant the Manager the NTFS Take Ownership permission to the files. C. Logon to the network as a Recovery Agent. Decrypt the files for the Manager. D. Logon to the network as a member of Backup Operators group. Decrypt the files for the Manager. ANS: C

168. You are the administrator of your company's network. Your network has 75 windows 2000 professional computers and eight Windows 2000 Server computers. Users on the network drive save their work files in home folders on a network server. The NTFS partition that contains the home folders has Encrypting File System (EFS) enabled. The partition also has disk quotas defined. A user named Candy reports that she cannot save any files to her home folder. She also cannot update files in her home folder.

Page 65: Interview Questions Dump

When she attempts to save files to the folder she receives the following error message "insufficient disk space". Other users are not experiencing this problem with their home folders. You want to enable Candy to save files in her home folder. What should you do? A. Log on to the network as a Recovery Agent. Decrypt all of candy's files in her home folder.B. Log on to the network by using the domain Administrator account. Grant Candy Full control permission to her home folder. C. Use Windows Backup to archive and remove old files on the server. D. Increase the server a disk quota entry for Candy to accommodate the additional files.ANS: D

169. Each user in your network has his/her own user directory. Jane copies a file to her user directory and receives the message "insufficient space." She finds that she cannot even add data to a file and save it. Others are not having any problems. What should you do?a. Increase the Quota Limit for Janeb. Defragment the hard drive c. Confirm that NTFS compression has been enabled d. Add Jane to the domain users group e. Confirm that backup is not running ANS: A

170. Julie is trying to save a file that is 2MB in size. When she tries to save the file, she gets an error message that the disk is out of space. When the administrator checks available disk space, it is determined that there is more than 4GB of free disk space. What is the most likely cause?A. The disk needs to be defragmented.B. Julie does not have the NTFS permissions she needs to access the folder where she is trying to save the file.C. Julie has exceeded her disk quota.D. The folder is encrypted and Julie does not have the key required to write to the folder.Answer: C If Julie is getting "out of space" errors and the disk has free space, it is likely that the disk has disk quotas applied and Julie has exceeded her quota limitation.171. Which of the following statements is true for disk quota management in Windows 2000 Professional?A. Quotas can only be set for all users of a volume.B. Quotas can only be set for specific users or groups of a volume.C. Quotas can be set for all new users of a volume or set individually for users of a volume.D. Quotas are only set for all users at the computer level through a group policy.Answer: C You cannot specify a quota for a group. Quotas are set for all new users of a volume or set individually for users of a volume.

172. Sticky key Question: How do you turn off the Automatic Accessibility

Page 66: Interview Questions Dump

option?A. Control Panel, Accessibility Options, and General TabANS: A 173. You have configured accessibility options for Tom. Everything works fine. Tom leaves his computer and comes back for an hour and none of the accessibility options work anymore. What should you do? A. In accessibility options on the general tab disable "turn off accessibility features after idle for xx minutes." ANS: A

174. You are creating a dial-up connection for Internet access. The wizard cannot access the default Internet Service Providers (ISP) with either of the numbers provided. What is your alternate method for setting up the connection?A. Configure the dial-up connection to negotiate with the server using Challenge-Handshake Authentication Protocol (CHAP).B. You can choose the option to set up the Internet connection manually if you know the ISP's phone number and your account and password already.C. You need to provide a known IP address before attempting to connect to the ISP server.D. Your ISP is requiring Data Encryption. Configure the dial-up connection to use it.ANS: B

175. You install Windows 2000 Professional on your portable computer. You configure your computer to join the CORP domain. You now create a new dial-up connection to connect to the company's remote access server that is in the CORP domain. You want authentication to be based on the logon credentials that you use when you log on to the portable computer. What should you do? (Choose two.)A. Configure the security options to enable EAP.. Configure the security options to require secured passwords.C. Configure the security options to allow unsecured passwords.D. Configure the security options to use the Windows logon name and password.E. Configure the dialing options to include the Windows logon domain.F. Configure the dialing options to not prompt for name and password.ANS: B, D

176. You create a dial-up connection to your Internet service provider (ISP). You configure the Security tab and the Networking tab of the Internet Connection via MSN Properties dialog box as shown in the exhibit. You attempt to connect to the ISP. You view the status change from Dialing to Verifying user name and password. After several seconds, the status changes to Disconnecting. You are then disconnected from the Computer you dialed. You verify that your user name and password are entered correctly. You want to enable your Computer to connect to your ISP. What should you do?A. Configure your connection to enable data encryption.B. Configure your connection to use the UNIX SLIP server.C. Configure your connection to allow unsecured passwords.

Page 67: Interview Questions Dump

D. Instruct your ISP to configure your account to support Multilink.ANS: C

77. You dial-in to your company's network from home. You find that you can access resources on the first subnet (where the dial-in server is located) but you cannot go beyond that. What dial-in parameter would you have to change? A. Use default gateway on remote network ANS: A

178.Your remote access clients are complaining that their connection to the server is too slow and that they are unable to work productively. Currently most of the users are dialing in over analog modems. Unfortunately higher speed methods of Internet access such as DSL and cable modem are not available to most of these users. You decide instead to install additional modems in the computers of the users who will remotely access your company's network so that they will be able to connect to the server using multiple modems simultaneously. What additional software configuration must you do on your Remote Access Servers to ensure that this will work properly?A. Configure Routing and Remote Access (RRAS) to support the Remote Authentication Dial-In User Service (RADIUS).B. Enable dual callback.C. Enable multilink.D. Install the Bandwidth Allocation Protocol (BAP).E. Install the Extensible Authentication Protocol (EAP).Answer: C

179. You are using Windows 2000 professional at home with a smart card installed. You want to connect to you RAS server to pick up e-mail. What protocol will you need?A. EAP B. PPTP C. IPSec D. NETBEUIAns: A180. You are using a DIALUP connection. You want to insure that your PASSWORD is encrypted. What protocols from the list below would you disable?A. PAP B. SPAP C. MSCHAP D. MSCHAP V1E. MSCHAP V2 F. CHAPAns: A Keywords dialup and password must be encrypted not whole session. PAP is the only protocol that does not encrypt the password.

181.You are using a DIALUP connection. You are DIALING into a remote server you do not know what type of server it is, but you want the entire session encrypted. What protocols from the list below would you disable?A. PAP B. SPAP C. MSCHAP D. MSCHAP V1E. MSCHAP V2 F. CHAPAns: A, B MSCHAP, MSCHAP V1, MSCHAP V2 are for encrypting whole sessions to dial in connections in a MICROSOFT world. CHAP is for encrypting whole sessions to dial in connections in a NON-MICROSOFT

Page 68: Interview Questions Dump

182. You are creating a dial-up connection on your Windows 2000 Professional portable computer to connect to your customer's dial-up server. You are not sure which type of server your customer is using for dial-up connections. You want to ensure that your dial-up connection authentication is secure and that your logon information is not sent in plain text. You view the Advanced Security Settings dialog box as shown in the exhibit. Which option or options should you disable in the Advanced Security Settings dialog box? (Choose all that apply.)A. Unencrypted password (PAP)B. Shiva Password Authentication Protocol (SPAP)C. Challenge Handshake Authentication Protocol (CHAP)D. Microsoft CHAP (MS-CHAP)E. Microsoft CHAP Version 2 (MS-CHAP v2)F. For MS-CHAP based protocols; automatically use my Windows logon name and password (and domain, if any)ANS: A, B

183. You are using a DIALUP connection to connect to a WINDOWS 2000 RAS SERVER. You want the whole session encrypted. What protocols from the list below would you disable?A. PAP B. SPAP C. MSCHAP D. MSCHAP V1 E. MSCHAP V2F. CHAPAns: A, B, D, F PAP SPAP CHAP are not used because you are dialing into a pure WINDOWS 2000 System. D is wrong because you only have MSChap and MSChap v2.

184 You have a smart card and must choose the correct protocol for authentication. A. EAP Ans: A

185. Tough "choose all that apply" question about RRAS and enabling "Smart Card Support". It shows a picture of the RRAS Authentication screen. I know you need to enable EAP for smart cards, but what about MS-Chap, MS-Chap v2, and "Use Windows Logon Name and Password"? I hate the choose all that apply questions. A. EAP Ans: A

186. You install Windows 2000 professional on your computer at home. You create a new dial-up connection to connect to your company's remote access server. You configure the connection to use both of your external modems and to use multi-link to bind the modems together. You start the dial-up connection and connect to the remote access server. You notice that only one of the modems is connected to the remote access server. What should you do? A. Configure the dial-up connection to use a SLIP connectionB. Configure the company's remote access server to accept multi-link connections C. Replace your modems with new modems that support multi-link D. Grant your user account multi-link permission on the company's remote

Page 69: Interview Questions Dump

accessANS: B

187. You install a second modem on a Windows 2000 Server computer configured with Routing and Remote Access. Dial-in users report that they are unable to connect to the server by using this new modem. What can you do to help find out the cause of the problem? (Choose Three.) A. Use the Diagnostics tab in Phone and Modem Options in Control Panel to query the modem. B. Use device Manager to identify any port resource conflicts. C. Use the Routing and Remote Access snap-in to find out whether the ports for both modems are operational. D. From a command prompt, run the Net Config Server command. E. From a command prompt, run the Net Statistics command. F. Use Regedit32 to view the Error Control value in the HKEY_LOCAL_MACHINESystemCurrentControlSetServicesRemoteAccess Key.ANS: A, B, C

188. A user calls you because she cannot find the files she needs on a network shared folder. You learn from her that she is looking with Explorer for the n:compositedivisionprojects folder. What do you need to do so she can see the files?A. You instruct her to type \server namecompositedivisionprojects filename in her application software.B. Tell the user to click the Start button, and run the \servername. Using that route, she can click down to the target folder.C. Give the user an access control entry for the needed folder, projects.D. Give the user "list folder contents" permission to the network shared folder using a security group.ANS: C

189. You are the administrator of a Windows 2000 network. You purchase 25 new portable computers that have a preinstalled version of Windows 98. You upgrade the 25 new computers to Windows 2000 Professional. You want to remove the Logoff Option from the Start menu on the 25 new Computers. Which two methods can you use to accomplish your goal? (Choose two)A. On the Advanced tab of the Taskbar & Start Menu dialog box, clear the Display Logoff Option.B. On the Advanced tab of the Taskbar & Start Menu dialog box, clear the Administrative Tools Option.C. On the General tab of the Taskbar & Start Menu dialog box, clear the Personalized Menus option. Log off and then log on to the Computers.D. Use a Local Computer Policy that will not include the Logoff option on the Start menu.E. Use the User Profiles tab within the properties of My Computer to change the profile from a local profile to a roaming user profile.ANS: A, D

190. You are the administrator of a Windows 2000 Professional computer that is shared by several users in the sales department. User accounts have been created for current users. Current users can log on to the computers.

Page 70: Interview Questions Dump

To accommodate new users, you add two new users accounts named user7 and user8 to computer5. When user7 attempts to log on to the computer, she receives the following error message: "Windows cannot copy file c:documents and SettingsDefault User to location C:Documents and SettingsUser7. Contact you network administrator. Detail - Access is denied." When User8 attempts to log on to the computer, he receives the same type of error message. You want to allow the two new users, as well as other users in the sales department, to be able to log on to the computer. Which two methods can you use to accomplish your goal? (Choose two.) A. Add the user7 and user8 user accounts to the DACL for the Profiles shared folder on the network server. B. Add the User7 and User8 user accounts to the DACL for the C:documents and SettingsDefault user folder. C. Add the Everyone group to the DACL for the C:documents and SettingsDefault user folder. D. Add a group Policy object (GPO) for the Sales OU that redirects user profiles to a shared folder. E. Log on by using the local Administrator account and create new folders for User7 and User8 in the C:documents and settings folder. F. Select the allow inheritable permissions from parent to propagate to this object option on the c:documents and Settingsdefault user folder, and reset the permissions on all child objects. G. Move and retain permissions and compressions Ans: B, F

191. Maria is a member of local administrators group. Administrator rights to assist you with administering the server, creating backups and running user manager. Some users complaints that she read and change their docs and sensitive data. You want Maria to have fewer rights. What rights should you give? A. Remove Maria from Admin group. Add her to Power user and Backup operator B. Leave her as Administrator and choose "deny" on Users files Ans: A

192. You are the administrator of a network supporting Windows 2000 Professional computers connected to a Windows 2000 Server domain. You have assigned permissions to the appropriate network and printer resources to the Developers group. Ten new users have been hired, and you are installing ten new computers to run Windows 2000 Professional. You want the new users to have these capabilities:Log on to any computer in the domain and run the same applications.Log on to any computer in the domain and receive the same display settings.Log on to any computer in the domain and access the same network connections.Log on to any computer in the domain and receive the same printer connections.Your proposed solution is to configure the computers to join the domain, create ten new domain user accounts, add them to the Developers group, and configure a roaming user profile for each user.Which results does the proposed solution provide? (Choose all that apply.)a) Users can log on to any computer in the domain and run the same

Page 71: Interview Questions Dump

applications.b) Users can log on to any computer in the domain and receive the same display settings.c) Users can log on to any computer in the domain and access the same network connections.d) Users can log on to any computer in the domain and receive the same printer connections.ANS: B, C, and D

193. You are the administrator of your company's network. Your network has 20 Windows 2000 Server Computers in the contoso.com domain. Your network also has 250 Windows 98 Computers. You want to perform a clean installation of Windows 2000 Professional on all of the Windows 98 Computers. All of the Windows 98 Computers are identical models and are PXE Compliant. You want to accomplish the following goals:- An unattended installation of Windows 2000 Professional will be performed.- An unattended installation of company-standard applications will be performed during the installation of Windows 2000 Professional.- Each Computer will be assigned a unique Security Identifier Descriptor (SID).- The unattended installation script will be modified so that the Computers automatically join the Contoso.com domain.You take the following actions:- Install Windows 2000 Professional on a Windows 98 Computer named Computer - Install and configure company-standard applications on Computer l.- Use Setup Manager on Computer 1 to create a Unattend.txt file based on the current Configuration, including domain membership.- Start the remaining Windows 98 computers, and then install Windows 2000 Professional. Use the Unattend.txt file to provide the settings for the installation.Which result or results do these actions produce? (Choose all that apply.)A. An unattended installation of Windows 2000 Professional is performed.B. An unattended installation of company-standard applications is performed during the installation of Windows 2000 Professional.C. Each Computer is assigned a unique SID.D. The unattended installation script is modified so that the Computers automatically join the contoso.com domain.ANS: A, C, D

194. One user leaves your company and another gets his position. How can you give the same permissions and restrictions to him while minimizing your work? The old user must have no further access. a. Rename the user account and change the password.b. Copy the old account to the new account and then delete the old account. c. Copy the old user profile to the new user account. d. Delete the old account. Create a new account and place it in all the groups that the old account was in. Manually re-assign all the user specific rights and permissions from the old account to the new account. ANS: A

Page 72: Interview Questions Dump

195. You are an administrator of your company's network. You want to perform routine upgrades on your Windows 2000 Server computer. You use your non-administrator user account in the domain to log on to the server. You want to update all of the critical system files and patched on the server in the shortest possible time. What should you do?A. Run Windows Update. B. Run System File Checker. C. Log on as an Administrator and run Windows Update. D. Log on as an Administrator and run System File Checker.ANS: C

196. You are the administrator of your company's network. Your company has offices in Hong Kong, Madrid, New York, Paris, and Tokyo. A user named Carmen works in the New York office, but she often travels to the Madrid office. Carmen uses the Multilanguage version of Windows 2000 Professional on her portable Computer. She needs to able to access both an English and Spanish user interface, input locale, and keyboard layout/IME. When Carmen is in the New York office, she logs on to the network by using the Carmen Eng user account. She is given the English user interface, input locale, and keyboard layout/IME. When she is in the Madrid office, she logs on to network by using the Carmen Spanish user account. She is then given the Spanish user interface, input locale, and keyboard layout/IME. Carmen reports that when she logs on to the network by using the Carmen Eng user account, she is not allowed to add any languages to her Computer other than English (US), which is already installed. What should you do?A. Add the Spanish keyboard layout/IME for the Carmen eng user account profile.B. Add the English keyboard layout/IME for the Carmen span user account profile.C. Reconfigure the Group Policy object for the Carmen eng user account to allow her to change languages on her computer.D. Reconfigure the Group Policy object for the Carmen span user account to allow her to change languages on her Computer.ANS: C

197. You are the administrator of your company's network. You run the Multilanguage version of Windows 2000 Professional on 1500 computers. Users can choose Chinese, English (US), German, Japanese, or Spanish as their language environment. A user named Suzanne wants to change her computer desktop and user interface from English to Japanese. She reports that she used Regional Options in Control Panel to install Japanese as a language preference. However, her computer desktop and user interface remain in English. What should you instruct Suzanne to do?A. Set Japanese as the default language by using Regional Options in Control Panel.b. Set Japanese as the default locale and keyboard layout/IME language by using Regional Options in Control Panel.C. Select Japanese by using Regional Options in Control Panel. Then log off and log back on.D. Select Japanese in the locale and keyboard layout/IME settings on the taskbar. Then install the code page conversion table.

Page 73: Interview Questions Dump

ANS: C

198. Kristin works between 2 offices. From her laptop, she logs into her Boston account using her login "Bost_Eng¨. She only has the English version available. When Kristin logs into her Mexico account "Mex_Span¨, she only has Spanish language available. Kristin logs in to the Bost_Eng account and needs to use Spanish. She tries to install Spanish but is not able to. You are the network administrator, how to address this problem so that Kristen can use English and Spanish from her Bost_Eng account?A. Change her settings in the OU to allow Kristin to use SpanishB. Giver her appropriate permissions to allow her to install the Spanish language option.Ans: B

199. You run the English (US) edition of windows 2000 professional on your computer. You are developing a product installation document that has text in both English and Spanish. The word processing program you are using is a Windows 16-bit character-based application. You start the word processing program and complete the English Portion of the document. You then install Spanish as a language group by using Regional Options in Control Panel. However, you cannot use Spanish to complete the Spanish portion of your document. What should you do? A. Save and close the word processing program. Select Spanish by using the locate indicator on the taskbar, and restart the word processing program. Ans: A

200. You are the administrator of your computer's network. Your company is based in Russia and conducts the majority of its business in Russian. Users in your company create, view, and edit documents in English (US), French and Spanish to communicate with vendors internationally users run the Russian localized edition of windows 2000 professional on their desktop and portable computer. A user named Katrin wants to create a word processing document in both English and Spanish by using Notepad in windows 2000 professional. She requests your assistance in enabling English and Spanish on her computer. What should you do? A. Instruct Katrin to select the desired input locale for either English or Spanish within Notepad. B. Instruct Katrin to select the input locale indicator on the taskbar and select either English or Spanish C. Instruct Katrin to use Regional Options in Control Panel to add input locales and keyboard layouts/IME for both English and Spanish. D. Create a local computer policy for Katrin's computer to include both English and Spanish.ANS: C, D

201. You are the administrator of a Windows 2000 network for Pamell Aerospace. You upgrade 10 computers from Windows 98 to Windows 2000 Professional. You want the computers to join the pamellaerospace.com domain. What should you do?A. Log on to one of the Computers and create 10 unique Computer accounts

Page 74: Interview Questions Dump

in Active Directory.B. Log on to each Computer and create the Computer account for each Computer when prompted to do so.C. Log on to each Computer by using the domain Administrator account, join the domain, and then create the computer account for each Computer when prompted to do so.D. Reconfigure TCP/IP on each Computer to ensure that the computers are on the same subnet as the domain controller for the parnellaerospace.com domain.ANS: D (Why not C, check this out)

202. You are the administrator of the Coho Vineyard network. The network consists of 10 Windows 2000 Advanced Server computers and 250 Windows 2000 Professional computers. Your company has two domains: cohovineyard.com and westcoastsales.com. The company's intranet site is on a Windows 2000 Advanced Server computer named ServerA. ServerA is on the cohovineyard.com domain and is running Internet Information Services (IIS) and Microsoft Proxy Server 2.0. You want to configure the Windows 2000 Professional Computers in the westcoastsales.com domain to access the intranet site. You want users to be able to connect to the intranet site by using the URL http://servera/ rather than its fully qualified domain name. What should you do?A. Add cohovineyard.com to the Domain Suffix Search Order on the computers.B. Add westcoastsales.com to the Domain Suffix Search Order on the computers.C. Add westcoastsales.com to the exceptions list in the proxy server settings on the computers.D. Configure the proxy server settings on the computers to bypass the proxy server for intranet addresses.ANS: A Explanation:To get to ServerA from outside the domain a computer has to resolve the name to an IP address. If using DNS, it needs the fully qualified domain name, which consists of the computer name appended to the domain name...like this - servername.domainname.com. When you use the Domain Suffix Search Order option, it will try to resolve the name ServerA with the DNS. When it fails, it will append the listed domain names on the end and try to resolve it then. This means that when a user types in the server name only, it will successfully resolve it to ServerA.cohovineyard.com - it's like a short cut. Go to the TCP/IP properties, Advanced Button, DNS Tab, and then note the "Append these DNS Suffixes (in order)". Whatever Domain Names you have at your company can be added here. They will be appended after the ServerA server name and resolved, one after another.

203. Based on the exhibit: three computers pc1, pc2, pc3 and a DHCP server on the sales segment of the network. The pc1, pc2, and the DHCP server all have TCP/IP and have IP addresses (192.168.10.31, -32, -34), subnet mask (255.255.255.0) configured. They all have the wrong default gateway 192.168.10.20, while the router was labeled with 192.168.10.60. PC1, PC2,

Page 75: Interview Questions Dump

and the DHCP server also have NWLINK 802.2. PC3 has NWLINK 802.3 only, no IP. Then, there is a router. The development segment is at the other side of the router and was configured with IP address 192.168.10.x, subnet mask (255.255.255.0), and default gateway that match the router. PC1 and PC2 couldn't see computers on the development segment, PC3 couldn't see anybody. What should you do to make everybody on both subnets can see everybody else on both subnets (select 2). A. Change the IP configuration on the DHCP server to have the right default gateway address. Install TCP/IP with default settings on PC3.Ans: A

204. TCP/IP diagram question: 4 PC's on one side of the router. 3 configured with TCP/IP and NWLink 802.2 and fourth PC with NWLink 802.2. Their gateway configuration is wrong the other side is all TCP/IP configured correctly to the router. What are the two best things to get them all talking together?A. The DHCP server was handing out bad gateway addressesB. Configure the Nwlink PC to use DHCPC. Configure the Nwlink PC to use 802.2D. Configure everyone to use NETBEUIAns: A, C

205. You are trying to copy big files from a UNIX server to WIN2K computer (running TCP/IP). You do the copy in explorer. The files are 100 MB each, and you need to copy 20 of them. The copying always aborts. What should you do to resolve the problem? A. Install network monitor agent, use performance console and review all counters for TCP/IP. B. Install network monitor agent, use performance console and review Fragmented Datagrams/Sec. C. Install SNMP and monitor TCP/IP counters.D. Install simple TCP/IP protocol and monitor Fragmented Data Ans: B

206. You are installing Windows 2000 Professional on 25 computers. You want to prevent users from installing device drivers that might cause computers to become unstable. You want users to be able to install device drivers only for devices that are included on the current Hardware Compatibility List (HCL). What should you do?A. Create a Local Computer Policy to enable Windows File Protection.B. Create a Local Computer Policy to prevent users from installing device drivers.C. Add Users to the Power Users local group rather than to the Administrators group.D. Enable driver signing to prevent the installation of unsigned drivers, and set driver signing as a system default.ANS: D

207. You are an administrator in a company that has Windows 2000 professional systems. Your users have been installing unsupported USB

Page 76: Interview Questions Dump

drivers on to their systems causing them to lock up and fail. You want to insure that only drivers that are in the HCL can be installed. What must be done? (Choose 2)A. Ignore - Install all files, regardless of file signatureB. Warn - Display a message before installing an unsigned file C. Block - Prevent installation of unsigned filesD. Apply setting as system defaultAns: C, D

208. Roger is a new user in your company whom you have just created an account for. Rogers logs on to his computer for the first time and is annoyed by the background that has been configured for his account. He attempts to change the background and is successful. After working for a couple of hours he logs off his computer and heads to lunch. When he returns from lunch, he logs on to his computer and notices that he now has the original background again. You receive a call from Roger who would like to know why this happened. What is the most likely explanation?A. Roger does not have the appropriate permission to the bitmap file for the background he wishes to use. You must have at least Read permission to the file containing the background you wish to use.B. Roger is not a member of the Power Users group. In order to make permanent changes to user settings, you must be a member of this group.C. Roger's account has been configured with a mandatory profile. In this case, the user can still modify the desktop, but the changes are not saved when the user logs off.D. Roger's account is a member of the Guest Users group. Members of the Guest Users group automatically have their changes discarded upon logoff.Answer: C

209. A user has a laptop which he uses offline and online. You want to change the users profile to roaming. When you attempt to change the setting. The "change to roaming" option is grayed out. How do you address this problem?A. In control panel, system, change profile to roamingB. Have him log back into the network then see if option is not grayed out.C. None of these choices are right. The grayed out option means that the profile is a local profile and can't be converted to roaming. See the topic "To switch between a roaming and local user profile" in the W2KPro online help and see the topic "To create a roaming user profile" in the W2KServer online help.Answer: C

210. You want to change the location of a users roaming profile from c:documents and settings to a network share \pdcusers<users name> how do you do this?A. On the server configure user properties and place the path as \pdcusers\%username%Ans: A

211. Sandy has a Windows 2000 Professional system. Today she is visiting

Page 77: Interview Questions Dump

another department, and is using a Windows NT 4.0 system. She wants to print a document but is missing her printer. You want her to be able to print from any computer she logs in at. What can you do to insure that she has this ability?A. Create a roaming profileAns: A

212. Sandy has a roaming profile set up for her Windows 2000 Professional system. Today she is visiting another department, and is using a Windows NT 4.0 system. All of her roaming profile stuff is missing. What's the problem? A. Create a roaming profile (Win 2000 profiles DO roam to an NT 4.0. See the topic "User profiles overview" on the W2KServer online help.)Ans: A

213. Your network currently has a mixture of Windows 2000 Professional, Windows 95 and Windows 98 clients. The clients are distributed between four different subnets. Although you eventually plan to migrate your Windows 95 and Windows 98 clients to Windows 2000 Professional, the migration probably will not happen for at least another year. In the meantime you would like to allow all of the clients to be able to connect to all of the other clients and share data and printers. However, you want to minimize the amount of administration that must take place when a new computer is added to the network or when a computer's IP address is changed. What would be the best method of allowing these clients to interact using user-friendly NetBIOS names? A. Create a DHCP server for the network and configure all of the client computers to use the DHCP server.B. Create a DNS server for the network and configure all of the client computers to use the DNS server.C. Create a WINS server for the network and configure all of the client computers to use the WINS server.D. Configure all of the client computers to support multicasting.E. Configure all of the client computers to use Automatic Private IP Addressing (APIPA).F. Implement HOSTS files on all of the client computers.G. Implement LMHOSTS files on all of the client computers. Answer: C

214. You are creating two custom Microsoft Management Consoles (MMCs) for use on your company's network. The first console will be called "topadmin.msc" and will be used by top-level administrators to perform daily tasks on the network. The second console will be called "levelone.msc" and will be used to entry-level members of the support staff to perform limited troubleshooting functions. You would like the users of "topadmin.msc" to have the ability to make changes to the MMC including the ability to add or remove snap-ins, create new windows, create taskpad views and tasks, add items to the Favorites list, and view all portions of the console tree. You would like users of "levelone.msc" to have full access to the console tree and all window management commands. However, you want to prevent them from adding or removing

Page 78: Interview Questions Dump

snap-ins and from changing the console properties. Which of the following would be the best solution to achieve these objectives?A. Configure "topadmin.msc" with an access level of "Author mode" and "levelone.msc" with an access level of "User mode - limited access, multiple window" B. Configure "topadmin.msc" with an access level of "Author mode" and "levelone.msc" with an access level of "User mode - full access" C. Configure "topadmin.msc" with an access level of "User mode - full access" and "levelone.msc" with an access level of "Author mode" D. Configure "topadmin.msc" with an access level of "User mode - full access" and "levelone.msc" with an access level of "User mode - limited access, multiple window" Answer: B

215. You have a Windows 95 computer with a Pentium 133, 64 MB of RAM, 2 GB of hard disk space, and a CD-ROM. The network adapter is not PXE boot ROM compliant. You want this computer to use Dfs since that will be a standard for everyone on the upgraded network. What should you do to enable Dfs on this machine?A. Create a remote installation boot disk by running rbfg.exe. Upgrade the system to Windows 2000 Professional from the network installation source.B. Use the PCI empty slot to add a new PXE boot ROM-compliant network adapter, set the BIOS to start from the network adapter card, and upgrade to Windows 2000 Professional.C. Create the four boot floppies to run startup and use the CD-ROM drive to finish the upgrade to Windows 2000 Professional since this CD-ROM is too old to be bootable device.D. Install Internet Exploer (IE) 4.01 or later and enable the Active Desktop components. Install the Directory Service Client.Once again none of these answers are correct. DFS was available in NT 4.0 but is enhanced in W2k. DFS is NOT supported by DOS, Windows 3.1, or any other non Windows OS. It is supported in Windows 9x and higher so A, B, and C does not need to be done. In order for it to work in a 9X environment, you must download and install the proper DFS client software from MS website, not a Directory Service client, nor do you need to use Active Desktop components as D says. Ans: A

216. You are the administrator of a Windows 2000 network. Users in the engineering department run Windows 2000 Professional on their desktop Computers. The size of the department has recently expanded from five users to 10 users. Users need to be able to update files in a shared folder named CommonData. The folder is stored on a FAT 16 partition on one of the Windows 2000 Professional Computers on the network. The files in CommonData are published in the Active Directory so that other users in the company can refer to them. The network also uses Distributed File System (DFS) to simplify access to its user data. Users in the engineering department report that when they try to access CommonData, they receive the following error message: "CommonData is not accessible. No more connections can be made to this remote Computer at this time." You want to ensure that users can access the files. What should you do?

Page 79: Interview Questions Dump

A. Move CommonData to FAT32 partition on the host Computer, and share it again.B. Move CommonData to an NTFS partition on the host computer, and share it again.C. Increase the user limit on the network share to the maximum allowed.D. Increase the Clients Cache this Dfs referral value on the Dfs leafnode that describes the data.ANS: D

217. You install the boot volume D on your Windows 2000 Server computer on dynamic Disk 0. You mirror volume D on dynamic Disk 1. One year later, during routing server maintenance, you open Disk Management and find that the status of volume D is Failed Redundancy. The status of Disk 1 is Online (Errors). A symbol with an exclamation point appears in the graphical view of the disk. You want to return the status of the boot volume to Healthy. What can you do? (Choose two.) A. Break the mirror, delete the volume on Disk 1, and re-create the mirror.B. Replace Disk 1, copy the data from the boot volume to the new disk, and then use Disk Management to rescan the disks. C. Replace Disk 1, Ensure that the new disk is a basic disk, and repair the volume. D. Reactivate the mirror on Disk 1. E. Convert Disk 1 to a basic disk, and reconvert it to a dynamic disk.ANS: A, D

218. Your Windows 2000 Server computer contains a stripe set with parity on a four-disk array. You convert the strip set with parity to a dynamic RAID-5 volume. Six months later, users report that disk access on the server is slower than it had been on the previous day, you use Disk Management and discover that the status of the third disk in the array is Missing. You want to recover the failed RAID-5 volume. What should you do first? A. Replace the third disk and restart the server. Use disk Management to repair the volume. B. Ensure that the third disk is attached to the server and has power. Use Disk Management to reactivate the disk. C. Ensure that the third disk is attached to the server and has power. Use Disk Management to repair the volume.D. Install a new disk and create a single extended partition on the new disk. Restart the computer and allow Windows 2000 to automatically repair the volume on the extended partition.ANS: BSee the topic "Repairing a dynamic RAID-5 volume" on the W2KServer online help.

219. You are the administrator of a Windows 2000 domain that has three domain controllers. Each day, you use Windows Backup to perform full backups of each domain controller. You run a script to make changes to account information in Active Directory. As a result of errors in the script, the incorrect user accounts are modified. Active Directory

Page 80: Interview Questions Dump

replication then replicates the changes to the other two domain controllers. You want to revert Active Directory to the version that was backed up the previous day. What should you do? A. On a single domain controller, use Windows Backup to restore the System State data. Shut down and restart the computer. B. Shut down and restart a single domain controller in directory services restore mode. Use Windows Backup to restore the System State data. Run the Ntdsutil utility. Restart the computer.C. Shut down and restart a single domain controller by using the Recovery Console. Use Windows Backup to restore the System State data. Exit the Recovery Console. Restart the computer. D. Shut down and restart each domain controller by using the Recovery Console. Use Windows Backup to restore the Sysvol folder. Exit the Recovery Console. Restart the computer.ANS: BSee the topic "Restoring a domain controller" on the W2KServer online help.

220. Your network contains NetWare 4.0 Servers. You have successfully installed Client Service for NetWare on Windows 2000 Professional computers, and Gateway Service for NetWare on Windows 2000 Server Computers. You recently added a new Windows 2000 Server computer to the network and installed Gateway Service for NetWare on it. However, the server is unable to connect to any NetWare servers. What should you do on the new Windows 2000 Server computer to resolve this problem?A. Enable NWLink NetBIOS.B. Configure the NWLink IPX/SPX/NetBIOS Compatible Transport Protocol to use the correct Ethernet frame type.C Install RIP routing for IPX.D Install the SAP Agent.ANS: B221. Which of the following options is not an event type logged in the Windows 2000 Professional Event Viewer utility?A. InformationB. CriticalC. WarningD. ErrorAnswer: B The event types logged in Event Viewer are Information, Warning, and Error. Success Audit and Failure Audit events are also logged when events have been audited for success or failure. There is no event called Critical

----------------------------------………………..--------------------------------------

Page 81: Interview Questions Dump

1. You maintain a single stand alone Windows 2003 Server for a small business. You want to install a legacy SCSI controller in this server.You install the board but it fails to work. You notice in system manager that there is a yellow warning with an exclamation mark next to the SCSI controller icon.You suspect that there may be an IRQ conflict with another installed legacy device, an old soundcard.How should you configure the SCSI controller?

A. SELECT THE SCSI CONTROLLER IN THE DEVICE MANAGER.FROM THE RESOUCES TAB, DISABLE AUTOMATIC SETTINGS THEN SCROLL THROUGH THE DIFFERENT IRQs INTIL YOU FIND ONE THAT DOESN'T CONFILCT.

2. Dennis is administrator for Power Tech Inc. Due to security reasons, he wants to log on using a non administrative account, but run his applications under his regular administrator account. Which logon option should he enable?

A.SECONDARY LOGONSECONDRARY LOGON WILL ALOW DENNIS TO LOGON USING A NON-

ADMINISTRATIVE ACCOUNT BUT RUN HIS APPLICATIONS UNDER HIS ADMINISTRTIVE ACCOUNT.

3. You have configured several users to be able to connect to one of your servers using Terminal Services, and you have configured redirection of client printers. You want users to be able to print to their local printers from a remote connection. However, your users report they are unable to print to their locally configured printers. What should you do?

A. ENABLE THE CLIENT/SERVER DATA REDIRECTION SETTING IN GROUP PLOICY FOR EVERY TERMINAL SERVER CLIENT COMPUTER.

IF SET TO DISABLED; THIS WILL OVERRIDE THE DATA REDIRECTION SETTINGS ON THE TERMINAL SERVER. ANSER D WILL ONLY CONTROL OUTGOING TERMINAL SERVER CONNECTIONS TAHT ORIGINATE FROM THE TERMINAL SERVER.

4. Your boss asks you to implement a UNIX server to function with your Windows 2003 IIS server. The first request from the UNIX server seems to work fine, but after that all requests receive 404 File Not Found error messages from the IIS Server. What could be the problem?

A. STATIC FILE CACHE STORES FILENAMES USING UPPERCASETHE STATIC CACHE IS STORING FILES USING UPPERCASE, WHEREAS THE UNIX REQUESTS ARE CASE SENSITIVE.

5. You are the network administrator for Acme Inc. There are several remote offices spread over the globe, each one is configured as an Active Directory site. Several uses are having problems accessing file servers in the Spain office. You can connect perfectly however using Terminal Services. You check the permissions and they are fine. What should you do?

A. ADD SOME WINDOWS 2003 SERVER LICENSES TO THE SITE LICENSE SERVER FO RTHE SPAIN SITE.

YOU SIMLY NEED TO ADD SOME LICENSES TO THIR SITE LICENSE SERVER. WE CAN BE SURE OF THIS BY THE FACTTHAT YU CAN ACESS IT VIA TERMINAL SERVICES.

6. You install a new print server for your company. You attach a printer and install the drivers. But when you try to print, the page comes out garbled or doesn’t print correctly. What could be the problem?

Page 82: Interview Questions Dump

A. YOU ARE USING AN INCORRECT DRIVER.YOU ARE MOST LIKELY USING AN INCORRECT DRIVER.

7. You want to delegate responsibility for some basic administrative tasks in the TRAINING OU to Melanie, who is an intern in your company.You log on to Melanie’s computer as Melanie, and you use the Run As command to load Active Directory Users and Computers using your credentials. You then assign Melanie to the PWADMINS group which has permissions to modify user account credentials in the TRAINING organizational unit. You then close Active Directory Users and Computers.When Melanie attempts to modify a user password, she is denied access. What should you do?

A. INSTRUCT MELANE TO LOG OFF THEN LOG IN AGAIN.MELANIE'S OLD ACCOUNT CREDENTIALS ARE CACHED IN MEMORY AND REQUIRE THAT SHE OBTAINS A NEW TOKEN. SHE CAN ACCOMPLISH THIS MOST EASILY Y LOGGING OFF AND BACK IN AGAIN.

WINDOWS 2003 INTERIM MODE.WINDOWS 2003 INTERIM MODEIS THE CORRECT CHOICE TO ALLOW WINDOWS NT 4.0 AND WINDOWS 2003 SERVERR TO COEXIST TOGETHER. WINDOWS 200 MIXED MODE WOULD ALSO ALLOW THIS,BUT THE QUESTIN DIDN;T SPECIFY THAT THERE WAS NEEDTO PROVIDE SUPPORT FOR WINDOWS 2000 SERVERS.

8. Which command allows you to scan files while your computer is still switched on?A. SFC /SCANNOW

SFC /SCANNOW WILL BEGIN SCANNING SYSTEM FILES IMMEDIATELY.

9. How would you create an OU named SIMPSON from the command line?

DSADD OU "OU=SIMPSON,DC=SIMPDOMAIN,DC=COM"THE ABOVE SYNTAX WILL CREATE AN OU NAMED SIMPSON FROM THE COMMAND LINE.

Where is cached Universal Group information stored?

A. When Universal Group caching is enabled, the user's Universal Group membership is stored in the msDS-Cached-Membership attribute of the user's account, and the current time is written to the msDS-Cached-Membership-Time-Stamp value along with msDS-Site-Affinity to identify the user's logon site the first time he or she logs on. Only the msDS-Site-Affinity attribute is replicated between domain controllers (DCs); the timestamp and list of group SIDs aren't replicated and are stored only on the authenticating DC. The next time the user logs on, the system reads the SIDs from the msDS-Cached-Membership attribute instead of consulting a Global Catalog (GC), assuming the msDS-Cached-Membership-Time-Stamp is within the staleness time period (7 days by default). If the cached membership information is stale, the system consults a GC for Universal Group membership information and updates the msDS-Cached-Membership and msDS-Cached-Membership-Time-Stamp attributes. The cached information is updated every 8 hours by default, and as many as 500 Error! Hyperlink reference not valid. will refresh in each refresh cycle. To modify the default values associated with cached Universal Groups, perform these steps:

1. Start the registry editor (regedit.exe). 2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Services\NTDS\Parameters\ registry subkey.

Page 83: Interview Questions Dump

3. From the Edit menu, select New - DWORD Value and enter the name of one of the values in TABLE 3. Press Enter. Double-click the new value and set it to the desired value. Click OK.

4. Close the registry editor.

How can I enable anonymous Lightweight Directory Access Protocol (LDAP) connections under Windows Server 2003?

A. By default, connections to Active Directory (AD) must bind via a set of credentials so that they can perform a meaningful directory search. If you have applications that can't authenticate, you can enable anonymous LDAP connections. To do so, perform these steps:

5. Start adsiedit.msc, which is part of the Windows 2000 or later support tools. (Start, Run, adsiedit.msc).

6. Expand the Configuration container. Expand Services - Windows NT. 7. Right-click "CN=Directory Service" and select Properties. 8. Double-click the dSHeuristics attribute. 9. If the value is Not Set, set it to 0000002. If the value field isn't blank, change the

seventh character of the string to 2 (e.g., if the value is 001, you'd change it to 0010002). Click OK.

10. Close ADSI Edit. After the change has replicated to all domain controllers (DCs), Windows 2003 will allow anonymous LDAP connections. However, ACLs on the data in AD still apply, so to let anonymous users view objects, you need to grant them Anonymous logon access rights. For example, to let anonymous users view an OU's contents, grant "Anonymous logon" the List Contents right.

How can I enable the List Object security option in Active Directory (AD)?

A. By default, users can view the content of organizational units (OUs). You can prevent users from viewing OU content by removing the List Contents right for that OU, or you can use the List Object permission to explicitly select which objects in an OU are viewable by particular users or groups. To enable the List Object option, perform these steps on a domain controller (DC) or on a machine that has adsiedit.msc installed. (ADSI Edit is part of the Windows 2000 or later support tools.)

11. Start adsiedit.msc (Start, Run, adsiedit.msc). 12. Expand the Configuration container. Expand Services - Windows NT. 13. Right-click "CN=Directory Service" and select Properties. 14. Double-click the dSHeuristics attribute. 15. If the value is Not Set, set it to 001. If the value field isn't blank, change the third

character of the string to 1, as the figureshows. Click OK. 16. Close ADSI Edit.

Now when you select an object's advanced security properties, a new List Object property is displayed, as the figure at figure shows.

Page 84: Interview Questions Dump

You need to ensure that you set the List Object right not only on the objects you want to be visible but also on the OU containing the objects. Remember to remove the List Contents permission from the container for users whom you don't want to view the entire contents. For example, by default the Authenticated Users group has List Contents permission, so you'd need to remove that right to allow the more granular List Object capability. Be careful when using the List Object functionality because it makes DCs perform extra work. The DC must check every object in a container to determine whether the object should be visible instead of merely checking the container for a general list or "not list" option.

How can I turn off compression for Active Directory (AD) intersite replication.

A. Replication between sites is normally compressed, which uses up extra processing on the domain controllers (DCs) but saves network bandwidth. If you have very fast links between sites and would rather use extra bandwidth than CPU cycles to compress the traffic perform the following:

17. Start the Adsiedit tool by typing the command Adsiedit.msc

Adsiedit is a support tool, so you must have installed the Windows Support Tools from the Windows 2000 Server or later CD-ROM (support\tools folder).

18. Expand the Configuration container, then expand CN=Sites and CN=Inter-Site Transports. Select CN=IP.

19. The right pane of the Adsiedit tool lists your site links. Right-click the site link for which you want to turn off compression and select Properties from the context menu.

20. Double-click the Option attribute. 21. If the Option value is currently <Not Set>, enter 4 and click OK. If it has a value

you need to derive it’s new value, To do so, convert the current value to binary and then use the OR function to combine it with 0100. For example, a current value of 1 is 0001 in binary. If you OR 0001 with 0100, you get 0101, which, converted to decimal, is 5. Therefore, you enter a value of 5

How can I enable notification-based replication between Active Directory (AD) sites?

A. Typically, when you make a change on a domain controller (DC), the DC will notify its replication partners within the site. DCs in other sites must wait for the regular replication cycle. If you have sites that are connected by a very fast medium and want notification-based replication between those sites, you can make a change to the site link to enable intersite notification-based replication by performing the following steps:

22. Start the Adsiedit tool by typing the command Adsiedit.msc

Adsiedit is a support tool, so you must have installed the Windows Support Tools from the Windows 2000 Server or later CD-ROM (support\tools folder).

Page 85: Interview Questions Dump

23. Expand the Configuration container, then expand CN=Sites and CN=Inter-Site Transports. Select CN=IP.

24. The right pane of the Adsiedit tool lists your site links. Right-click the site link for which you want to enable notification and select Properties from the context menu.

25. Double-click the Option attribute. 26. If the Option value is currently <Not Set>, enter 1 and click OK. If it has a value,

you need to derive its new value. To do so, convert the current value to binary and then use the OR function to combine it with 0001. For example, a current value of 4 is 0100 in binary. Then you OR 0100 with 0001 and get 0101, which, converted to decimal, is 5. Therefore, you enter a value of 5.

You can perform this change only for IP links, not SMTP links, and it will result in more traffic over the link.

How are password changes communicated between Active Directory (AD) sites?

A. When a domain controller (DC) carries out a password change, the change is forwarded to the PDC Flexible Single-Master Operation (FSMO) role holder for the domain. This change isn't an urgent replication but instead is a separate communication that notifies the PDC FSMO outside of regular replication connections. When a client uses an incorrect password to initiate an authentication request, before failing the authentication, the DC that received the authentication request asks the PDC FSMO to verify the password and confirm whether a new password is in use. If so, the FSMO communicates the password to the DC outside of normal replication cycles (out of band). This communication for verifying incorrect passwords is for any DC in the domain, not just those within a local site. If you don't see this behavior, it's possible that someone has turned off the password-change PDC communication for DCs in sites not local to the PDC emulator. The process for doing so is described in the FAQ "How can I stop password changes from being pushed to the PDC FSMO over WAN links?" ( http://www.windowsitpro.com/articles/index.cfm?articleid=21788 ). Firewall restrictions can also block the password-verification default behavior

I'm receiving errors from DCs in my domain, which state that the target Principal Name is incorrect or that access is denied when I attempt to replicate AD data or to perform some domain-modification functions. What's going on?

A. I recently experienced this problem when I started a DC that I hadn't used for a while and wanted to demote, but the demotion kept failing. The problem was that the DC's computer account with the domain had expired and its services could no longer communicate with other DCs in the domain. I solved the problem by resetting the DC's account. To do so, perform these steps:

27. Log on to the DC that's having the problems.

Page 86: Interview Questions Dump

28. Ensure that the Windows Support Tools are installed (We'll be using the Netdom tool, which is part of the support tools.)

29. Start the Microsoft Management Console (MMC) Computer Management snap-in (Start, Programs, Administrative Tools, Computer Management).

30. Scroll down to the "Services and Applications" section and select the Services subleaf.

31. Double-click the Kerberos Key Distribution Center (KDC) service. 32. Set its startup type to Disabled and click OK. 33. Reboot the DC. 34. When the DC restarts, open a command prompt and run this command:

netdom resetpwd /server: <PDC FSMO role holder of domain> /userd:<domain administrator> /passwordd:<domain admin password>

35. You should see a confirmation message stating that the machine account has been reset.

36. Restart the Computer Management snap-in. 37. Scroll down to the "Services and Applications" section and select the Services

subleaf. 38. Double-click the KDC service. 39. Set its startup type to Automatic and click OK. 40. Reboot the DC.

The DC should now function correctly.

How can I use a script to create a list of domains that an Active Directory (AD) domain trusts?

A. Using the Active Directory Services Interface (ADSI) you can use a script like the following sample to query objects from AD--such as trustedDomain objects from a domain's system container--and thereby obtain a list of all the trusted domains.

Option ExplicitDim objConnection, objChildSet objConnection =GetObject("LDAP://vs2003dstdc1.dest.test/cn=system,dc=dest,dc=test") objConnection.Filter = Array("trustedDomain")For Each objChild In objConnection WScript.Echo objChild.NameNextWscript.Echo "Operation Completed"

Page 87: Interview Questions Dump

Ensure that you replace the "Set objConnection" Lightweight Directory Access Protocol (LDAP) connection string with one for your domain. For example, if a domain controller (DC) is DC1 in domain savilltech.com, the line would read: Set objConnection =GetObject("LDAP://dc1.savilltech.com/cn=system,dc=savilltech,dc=com")

Do I need to take any special steps when restoring a backup of my Relative Identifier (RID) master?

A. Remember that the RID master is responsible for allocating RIDs (in batches of 500) to all domain controllers (DCs) in a domain. If the RID master is incorrectly restored (e.g., from an old backup), it might assign RID pools that it has already issued, resulting in duplicate SIDs being created in the domain. Therefore, I recommend that you give the RID master Flexible Single-Master Operation (FSMO) role to a different DC instead of restoring the RID master. If you do restore the RID master, be aware that if you have more than one DC in the domain, the RID master must be able to contact one of them before its RID role will be started. In a disaster recovery situation, this requirement might be a problem because no other DCs would be available. Microsoft documents the steps to work around this problem at http://support.microsoft.com/?kbid=839879.

Where are universal groups stored?

A. Universal groups are stored in the Global Catalog (GC), but does an additional database exist that stores only universal groups and is replicated among all GCs? Remember, GCs store a full copy of their local domain's partition and a subset of the domain database of every other domain in the forest (the only attributes stored are those defined in the partial attribute set). There is no additional database on top of the partial Error! Hyperlink reference not valid. of every domain. Universal groups are created in a container within a specific domain, and their member attributes are replicated as part of the partial database stored on GC servers, whereas the member attributes of regular groups (e.g., global, local) aren't replicated as part of the partial database. Therefore, the partial database copy that's stored on every GC server knows the membership of every universal group from every domain in the forest. This functionality lets GCs store universal groups. The universal group membership is stored in the domain in which the universal group was created, and the partial copy of the domain is stored on every GC throughout the forest. You can use the ADSI Edit tool to view this setup by performing these steps:

41. Start ADSI Edit (Start, Run, adsiedit.msc). 42. Right-click the root of ADSI Edit and select "Connect to". 43. Enter a name for the connection (e.g., Partial Retail Domain), as the figure shows.

In the Connection Point section, select "Select or type a Distinguished Name or Naming Context" and enter the distinguished name (DN) of the partition to view

Page 88: Interview Questions Dump

(e.g., dc=retail,dc=savilltech,dc=com). In the Computer section, enter the name of the GC server that isn't a domain controller (DC) for the partition you selected.

44. Click Advanced. 45. Under Protocol, select Global Catalog and click OK. 46. Click OK at the main dialog box. 47. Expand the new partition under ADSI Edit until you see the container that holds

the universal group you want to view. 48. Right-click the universal group and select Properties. 49. Notice that the member attribute contains the users from all domains. If you look

at a group that isn't a universal group, its member attribute will be empty.

How can I use the ADSI Edit tool to check my domain and forest modes?

A. Domain and forest modes are defined by a combination of three values: For the domain mode, you need to check the msDS-Behavior-Version and nTMixedDomain attributes of the Domain container; for the forest mode, you check the msDS-Behavior-Version attribute of the Partitions container, which you'll find in the Configuration object of the Forest root. To view these attributes perform these steps:

50. Start ADSI Edit (Start, Run, adsiedit.msc). This tool is part of the Windows 2000 and later Support Tools so make sure you have these tools installed.

51. Expand the Domain branch. Right-click the domain name and select Properties from the context menu. (If the domain you want isn't displayed, select "Connect to..." from the root context menu and enter the domain information, including credentials for a connection.)

52. Click the Attribute Editor tab and scroll down to view the msDS-Behavior-Version and nTMixedDom values. These are the domain-specific values.

53. Expand the Configuration object at the root of adsiedit and expand the Configuration container specific to your forest. Right-click the CN=Partitions container and select Properties.

54. Click the Attribute Editor tab to view the msDS-Behavior-Version value, as the figure shows. Click OK.

55. Close ADSI Edit.

Q. Should I define a "catch-all" subnet for my Active Directory (AD) sites?

A. Sites are defined in terms of IP subnets, and when you have multiple physical sites, you need to associate all existing IP subnets at each location with the correct AD site. Doing so ensures that clients at those sites will use resources at their local site when possible. If for some reason (usually by mistake) a subnet hasn't been defined, a client that has an IP address within that subnet range doesn't belong to a site and therefore will use any domain controller (DC) in the organization instead of a DC that's local to the client's site. To ensure that all clients within your organization are associated with a local site, you can create a catch-all subnet and link it to your main corporate or hub site. For example, if all my subnets were within the Class B range of 10.1.x.x, I could define a 10.1.0.0/16 subnet

Page 89: Interview Questions Dump

and link it to the corporate site. Any subnet that wasn't specifically defined and linked to other sites will cause clients that have IP addresses in those missed ranges to "think" they're in the corporate site. Although not ideal, this approach is better than having a client that doesn't belong to a site and possibly using DCs in remote, slowly linked locations. Creating a catch-all subnet doesn't typically present a problem because the client's site is based on the most specific match, not the first match. For example, if the following site definitions exist:

Corporate: 10.1.1.0/24, 10.1.2.0/24 and 10.1.0.0/16 London: 10.1.3.0/24 Dallas: 10.1.4.0/24

and a client has an address of 10.1.3.25, although that address is within the 10.1.0.0/16 range, it actually belongs to the London site (10.1.3.0/24), which is a more specific match (more bits used for the subnet). This catch-all subnet can also be a savior if your network team decides to add new subnets. The catch-all provides you some safety, although you should still keep your site definitions as accurate as possible to ensure that clients use local resources when they can.

Q. How can a client computer determine which site it belongs to?

A. A client computer ascertains which site it currently resides in when the computer starts. As part of the initial startup traffic, clients attempt to locate a domain controller (DC) for their domain. (This search occurs early in the startup process; if you use DHCP, it occurs just after the address is leased or renewed.) If the client currently has no DynamicSiteName registry value--which indicates the site in which the client was located when it was last started--the client performs a generic DNS query for any Lightweight Directory Access Protocol (LDAP) service by using the DNS query format _ldap._tcp.dc._msdcs.

If the client previously resided in a site and therefore has a DynamicSiteName registry value, the DNS query tries to find a DC in that site by using the following query format: _ldap._tcp.._sites.dc._msdcs.

When the client finds a DC, the client issues a UDP LDAP request asking for Netlogon-service information from the DC; the DC returns a SearchResponse (4) message, which lists the DC's local site and the client's site name, according to the client's IP address, if the queried DC isn't from the client's current local site. If the DNS query can't match a client's IP address to a defined site, it doesn't return a recommended site, only the DC's current site. The following sample packets show three types of DNS query responses. The first example shows the results of a client querying a DC that's within the client's IP-calculated site: 00000020 30 84 00 00 00 8B 0.....00000030 02 01 02 64 84 00 00 00 82 04 00 30 84 00 00 00 ...d.......0....00000040 7A 30 84 00 00 00 74 04 08 6E 65 74 6C 6F 67 6F z0....t..netlogo00000050 6E 31 84 00 00 00 64 04 62 17 00 00 00 FD 01 00 n1....d.b.......00000060 00 68 CC 80 31 3C AF B7 4F B7 43 EF 17 8D F4 4F .h..1<..O.C....O00000070 99 0A 73 61 76 69 6C 6C 74 65 63 68 03 63 6F 6D ..savilltech.com

Page 90: Interview Questions Dump

00000080 00 C0 18 0A 73 61 76 64 61 6C 64 63 30 31 C0 18 ....savdaldc01..00000090 0A 53 41 56 49 4C 4C 54 45 43 48 00 0A 53 41 56 .SAVILLTECH..SAV000000A0 44 41 4C 44 43 30 31 00 00 06 44 61 6C 6C 61 73 DALDC01...Dallas000000B0 00 C0 50 05 00 00 00 FF FF FF FF 30 84 00 00 00 ..P........0....000000C0 10 02 01 02 65 84 00 00 00 07 0A 01 00 04 00 04 ....e...........000000D0 00

The next example shows the results of a client querying a DC that isn't local to the client's site: 00000020 30 84 00 00 00 90 0.....00000030 02 01 02 64 84 00 00 00 87 04 00 30 84 00 00 00 ...d.......0....00000040 7F 30 84 00 00 00 79 04 08 6E 65 74 6C 6F 67 6F 0....y..netlogo�00000050 6E 31 84 00 00 00 69 04 67 17 00 00 00 7D 01 00 n1....i.g....}..00000060 00 68 CC 80 31 3C AF B7 4F B7 43 EF 17 8D F4 4F .h..1<..O.C....O00000070 99 0A 73 61 76 69 6C 6C 74 65 63 68 03 63 6F 6D ..savilltech.com00000080 00 C0 18 0A 73 61 76 64 61 6C 64 63 30 31 C0 18 ....savdaldc01..00000090 0A 53 41 56 49 4C 4C 54 45 43 48 00 0A 53 41 56 .SAVILLTECH..SAV000000A0 44 41 4C 44 43 30 31 00 00 06 44 61 6C 6C 61 73 DALDC01...Dallas000000B0 00 05 41 6C 6C 65 6E 00 05 00 00 00 FF FF FF FF ..Allen.........000000C0 30 84 00 00 00 10 02 01 02 65 84 00 00 00 07 0A 0........e......000000D0 01 00 04 00 04 00 ......

Notice that the query initially returns a site named Dallas, then returns a second site, Allen. In this case, Dallas is the site of the DC (savdaldc01), but the response is telling the client that it should instead find a DC in the Allen site (which it would find via a DNS query specifying the Allen site). The final sample packet shows the response when the DNS query can't match the client's IP address with sites defined in the Active Directory (AD): 00000020 30 84 00 00 00 8A 0.....00000030 02 01 02 64 84 00 00 00 81 04 00 30 84 00 00 00 ...d.......0....00000040 79 30 84 00 00 00 73 04 08 6E 65 74 6C 6F 67 6F y0....s..netlogo00000050 6E 31 84 00 00 00 63 04 61 17 00 00 00 7D 01 00 n1....c.a....}..00000060 00 68 CC 80 31 3C AF B7 4F B7 43 EF 17 8D F4 4F .h..1<..O.C....O00000070 99 0A 73 61 76 69 6C 6C 74 65 63 68 03 63 6F 6D ..savilltech.com00000080 00 C0 18 0A 73 61 76 64 61 6C 64 63 30 31 C0 18 ....savdaldc01..00000090 0A 53 41 56 49 4C 4C 54 45 43 48 00 0A 53 41 56 .SAVILLTECH..SAV

Page 91: Interview Questions Dump

000000A0 44 41 4C 44 43 30 31 00 00 06 44 61 6C 6C 61 73 DALDC01...Dallas000000B0 00 00 05 00 00 00 FF FF FF FF 30 84 00 00 00 10 ..........0.....000000C0 02 01 02 65 84 00 00 00 07 0A 01 00 04 00 04 00 ...e............

Notice in these examples that if the client's IP address matches the queried DC's site, a "P" (preferred) character appears after the site name, as line 19 in the first example shows; if there's no match, the "P" doesn't appear and because the preferred site name is blank, the response means the DNS query found no matching site. Thus the client doesn't reside within the boundary of any known site and will therefore randomly use any existing DC. You can also determine a client's site either by running the command nltest /dsgetsite

or by using the following code in a script: Set oSysInfo = CreateObject("ADSystemInfo") MsgBox oSysInfo.SiteName

To reset the client and discover information about the client's site, run the following command: nltest /sc_reset:domain-name\local-dc

It's important that client machines don't have IP addresses outside of defined sites. Certain services, such as the Microsoft Exchange System Attendant, won't start if the site's membership can't be discovered.

Q. How does Windows process logon scripts that you define via Group Policy?

A. Group Policy lets you define scripts at multiple levels (i.e., site, domain, organizational unit--OU). You can define multiple scripts at each level by using multiple Group Policy Object (GPO) links or by defining multiple scripts in one GPO. You can also define a logon script at the User-object level. The scripts you define run in the order in which the GPOs are applied, so site-level scripts run first, then domain-level scripts, OU-level scripts, and finally User-object scripts. However, the scripts don't run in series; they run parallel. Therefore, you can't rely on GPO application order to set the precedence of actions performed in logon scripts because the scripts might run at different speeds and finish at different times. You also need to ensure that your logon scripts don't overwrite the actions of other logon scripts. Remember that logon scripts that run via Group Policy run in the background; you can't see them execute. You can, however, change this behavior by modifying a GPO setting, as I explain in the FAQ "How can I configure Group Policy-based scripts to display when they're executed?"

Q. How can I enable complex passwords on my Windows Server 2003 Active Directory (AD) domain?

A. On a new Windows 2003 domain, complex password creation is enabled by default; however, to configure complex passwords for an upgraded domain or to simply modify the password settings, perform these steps:

56. Open the Group Policy Object (GPO) that's linked at the domain level. For example, open the Microsoft Management Console (MMC) Active Directory

Page 92: Interview Questions Dump

Users and Computers snap-in, right-click the domain, select Properties, select the Group Policy tab, select the GPO, then click Edit. Doing so opens Group Policy Editor (GPE). Remember that password policies are part of the Account Settings group and take effect only when you set them at domain level; they won't be implemented if you set them at site or organizational unit (OU) levels.

57. Select Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy.

58. Double-click the relevant settings and set them to the settings you want (e.g., Password must meet complexity requirements," "Minimum password length," "Maximum password age"). The figure shows the default settings for a new Windows 2003 domain, which are a good baseline.

59. Close GPE.

Q. How can I quickly search for shared folders that are published in Active Directory (AD)?

A. To quickly search AD for published shared folders, you can run the commandrundll32 dsquery,OpenQueryWindow

Executing this command opens the Find dialog box, which provides in the drop-down lists the option to find Shared Folders and where to search. The Figure shows search results displayed in the Find dialog box. In pre-Windows XP versions, you could access this dialog box fairly easily via Explorer or My Network places. However, accessing the Find dialog box is a little more complicated in XP, so you might want to create a shortcut to the previous Rundll32 command.

Q. How can I run a report that displays the last password change for all accounts in a container?

A. The last-password-change date is stored in the user class's Active Directory (AD) pwdLastSet attribute as a large (Error! Hyperlink reference not valid.) integer, which means the date must be converted so that it can be read and displayed in a usable "date" format. To perform the conversion, I modified a script by Richard Mueller so that it searches for all users in the passed root distinguished name and outputs their last-password-change date to a screen. You can download the script, listuserpasslastchange.vbs, or copy and paste the following script into a text file.' John Savill' This is based on Richard Mueller's script on Interger8Date' conversion, which is copyrighted as below.' Copyright (c) 2003 Richard L. Mueller' Hilltop Lab Web site - http://www.rlmueller.net'' I simply changed it to output all objects in a passed DN.

Option Explicit

Page 93: Interview Questions Dump

Dim strLdapPath, objConnection, objChildDim lngTZBias, objUser, objPwdLastSetDim objShell, lngBiasKey, k

' Check that all required arguments have been passedIf Wscript.Arguments.Count < 1 Then Wscript.Echo "Arguments required. For example:" & vbCrLf _ & "cscript listuserpasslastchange.vbs ou=test,dc=demo,dc=test" Wscript.Quit(0)End If

strLdapPath = Wscript.Arguments(0)

' Obtain local Time Zone bias from machine registry.Set objShell = CreateObject("Wscript.Shell")lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\"_ & "TimeZoneInformation\ActiveTimeBias")If UCase(TypeName(lngBiasKey)) = "LONG" Then lngTZBias = lngBiasKeyElseIf UCase(TypeName(lngBiasKey)) = "VARIANT()" Then lngTZBias = 0 For k = 0 To UBound(lngBiasKey) lngTZBias = lngTZBias + (lngBiasKey(k) * 256^k) NextEnd If

Set objConnection = GetObject("LDAP://" & strLdapPath)objConnection.Filter = Array("user")

For Each objChild In objConnection Set objPwdLastSet = objChild.pwdLastSet

WScript.Echo objChild.Name & vbTab & _ Integer8Date(objPwdLastSet, lngTZBias)Next

Wscript.Echo "Operation Completed"

Function Integer8Date(objDate, lngBias)' Function to convert Integer8 (64-bit) value to a date, adjusted for' local time zone bias. Dim lngAdjust, lngDate, lngHigh, lngLow lngAdjust = lngBias lngHigh = objDate.HighPart lngLow = objdate.LowPart' Account for error in IADslargeInteger property methods. If lngLow < 0 Then lngHigh = lngHigh + 1 End If If (lngHigh = 0) And (lngLow = 0) Then lngAdjust = 0 End If lngDate = #1/1/1601# + (((lngHigh * (2 ^ 32)) _ + lngLow) / 600000000 - lngAdjust) / 1440' Trap error if lngDate is ridiculously huge. On Error Resume Next Integer8Date = CDate(lngDate)

Page 94: Interview Questions Dump

If Err.Number <> 0 Then On Error GoTo 0 Integer8Date = #1/1/1601# End If On Error GoTo 0End Function

To run the script, use the syntaxcscript listuserpasslastchange.vbs ou=test,dc=demo,dc=test

You'll see output that's similar to this:CN=Bruce Wayne 11/17/2003 1:30:14 PMCN=Clark Kent 11/17/2003 1:31:30 PMCN=Hal Jordan 12/6/2004 2:52:56 PMCN=Wally West 3/17/2003 9:04:45 AM

Q. Can I use the .local or .pvt top-level domain (TLD) names as part of an Active Directory (AD) tree name?

A. Companies often use a .local or .pvt TLD to name an AD tree. However, as I explain shortly, it's better to use a standard naming method--for example, create a name by using a subdomain of your company's DNS address space (e.g., if your company's DNS domain is ntfaq.com, you could name your AD tree ads.ntfaq.com). When you use this method, though, you must remember that the DNS information for the AD tree is hosted on internal DNS servers, not on your external DNS servers. This means that external users can't see information about your internal infrastructure because external users can access only the external DNS server, which has no information about your internal infrastructure. Alternatively, if you want to create a second-level name for your AD domain, reserve another name--for example, ntfaq.net--but don't set your AD domain to the same name as your external name, to avoid causing confusion in name resolution.If you're determined to use a nonstandard TLD in your domain name, avoid the use of .local or .pvt because they aren't reserved. Instead, use one of these reserved top-level domains:

.test .example .invalid .localhost

Q. How can I quickly obtain a list of the domain controllers (DCs) in my Active Directory (AD) domain?

A. You can output a list of all DCs in a domain by running the Nltest command (which is included in the Support Tools) and specifying the /dclist parameter. The following sample command generates a list of all DCs in the savilltech.com domain:

nltest /dclist:savilltech.com

Q. How can I revoke delegated Active Directory (AD) permissions?

Page 95: Interview Questions Dump

A. You can revoke permissions on all containers under a passed root--for example, a domain or an organization unit (OU)--by using the Dsrevoke tool, which I describe in FAQ "How can I view the Error! Hyperlink reference not valid. of Active Directory (AD) permissions delegations?" To revoke permissions, you use the command syntax that I provided in that FAQ but replace the /report switch with the /remove switch, like this:dsrevoke /remove /root:ou=testing,dc=demo,dc=test demo\helpdesk

After you run Dsrevoke, the access control entries (ACEs) that match your criteria are displayed on screen, like this:ACE #1Object: OU=testing,DC=demo,DC=testSecurity Principal: DEMO\HelpDesk

Permissions:READ PROPERTYWRITE PROPERTYACE Type: ALLOW

ACE does not apply to this objectACE inherited by all child objects of class User

ACE #2Object: OU=testing,DC=demo,DC=testSecurity Principal: DEMO\HelpDesk

Permissions:EXTENDED ACCESSACE Type: ALLOW

ACE does not apply to this objectACE inherited by all child objects of class User

# of ACEs for demo\helpdesk = 2

Do you want to remove the above listed ACEs (y/n): yAll ACEs successfully removed

To remove the ACEs, you must enter "y" (yes) at the prompt. You can then confirm the removal by running Dsrevoke to output a report:dsrevoke /report /root:ou=testing,dc=demo,dc=test demo\helpdesk

The command outputs this message:No ACEs for demo\helpdesk

Q. How can I view the state of Active Directory (AD) permissions delegations?

A. Windows Server 2003 and Windows 2000 Server provide helpful wizards for delegating permissions to users in AD. However, no wizard lets you view existing delegations. To do so, you must manually view the security settings that have been applied on containers and objects.Microsoft recently released a tool that makes it easier to view existing permissions delegations. You can download the tool--called Dsrevoke--at Microsoft Web site. Dsrevoke reports on the permissions for a domain and/or organizational units (OUs) and

Page 96: Interview Questions Dump

also lets you remove permissions. For example, the following sample Dsrevoke command checks for permissions on the HelpDesk group in the demo domain and specifies the Testing OU in the demo.test domain:dsrevoke /report /root:ou=testing,dc=demo,dc=test demo\helpdesk

The command displays these onscreen messages:ACE #1Object: OU=testing,DC=demo,DC=testSecurity Principal: DEMO\HelpDesk

Permissions:READ PROPERTYWRITE PROPERTYACE Type: ALLOW

ACE does not apply to this objectACE inherited by all child objects of class User

ACE #2Object: OU=testing,DC=demo,DC=testSecurity Principal: DEMO\HelpDesk

Permissions:EXTENDED ACCESSACE Type: ALLOW

ACE does not apply to this objectACE inherited by all child objects of class User

# of ACEs for demo\helpdesk = 2

You can see in the output that the HelpDesk group has several access control entries (ACEs) for the Testing OU; however, the output information doesn't provide the exact permissions for the HelpDesk group. To determine this information, you must first enable the Advanced view in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Then, at the container's Properties page, select the Security tab and click the Advanced button. To view a group's permissions, select the Permissions tab, then select the group and click Edit, as the Figure shows. In this example, the HelpDesk group has permissions to reset passwords and to force a password change. Dsrevoke is most effective when delegation has been defined by using roles--that is, users are placed in a group, and the group is given permissions at a domain or OU level, instead of via individual objects Q. How can I install a domain controller (DC) from backup media by using a Dcpromo answer file?

A. To create a DC from a backup during the Dcpromo process, add these two entries to the answer file:ReplicateFromMedia=YesReplicationSourcePath=<media_source_path>

Your answer file entries should look something like this:[Unattended]UnattendMode=FullUnattended

[DCInstall]

Page 97: Interview Questions Dump

AllowAnonymousAccess=NoAutoConfigDNS=NoDatabasePath=<Db_Path>LogPath=<Log_Path>SysVolPath=<SysVol_Path>Password=<User_Pwd>UserDomain=<Net_Bios_Domain_Name>UserName=<User_Name>ReplicaDomainDNSName=<DNS_Domain_Name>CriticalReplicationOnly=NoReplicaOrNewDomain=ReplicaSafeModeAdminPassword=<safe_mode_pwd>RebootOnSuccess=YesReplicateFromMedia=YesReplicationSourcePath=<media_source_path>ConfirmGC = Yes

Q. What entry should I add to a Dcpromo answer file to specify that a domain controller (DC) should also be made a Global Catalog (GC)?

A. To specify that a DC should also be made a GC during the Dcpromo process (which can be useful when you install a new DC from media that contains data copied from a GC), add the following entry to the answer file:ConfirmGC = Yes

Q. How do I set a domain to interim mode?

A. Typically, when you upgrade a domain from Windows NT Server 4.0 to Windows Server 2003 and the domain is the first one in a new forest, during the upgrade you can set the domain and forest mode to interim. Interim mode has advantages over Windows 2000 Server native mode--for example, interim mode has no 5000-group membership limit and provides Knowledge Consistency Checker (KCC) and topology enhancements.If you're creating a new domain, you can set the domain and forest mode to interim by using the ADSI Edit tool. (You can't use the typical Active Directory--AD--management snap-ins to do this.) To set the domain and forest mode to interim for a new domain, follow these steps:

60. Start the ADSI Edit tool (Start, Run, adsiedit.msc). 61. Expand the Configuration partition of the forest root--for example,

CN=Configuration,DC=demo,DC=test. 62. Right-click CN=Partitions, then click Properties. 63. Select the msDS-Behavior-Version attribute, then click Edit. 64. In the Value field, which the Figure shows, type 1 and click OK.

When you check the forest and domain level, it will now be displayed as Windows Server 2003 interim. Be aware, though, that after you make this change you can't go back to mixed mode and thus can no longer add Windows 2000 DCs to the domain.

Page 98: Interview Questions Dump

Q. How can I check which domain controllers (DCs) are acting as bridgeheads for a site?

A. The Intersite Topology Generator (ISTG) decides which of a site's DCs will act as the site's bridgehead servers (in Windows Server 2003, you can use multiple DCs for each replicated naming context). One way to check which DCs are acting as bridgehead servers for a site is to view the connection objects by using the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in, which shows the DCs each DC is replicating with.The best method for determining which DCs are acting as bridgehead servers is to use the Repadmin tool and specify the bridgeheads server parameter. To do so, enter the commandrepadmin /bridgeheads

You'll then see on-screen messages similar to those that the Figure shows.

Q. How can I create an HTML view of my organizational unit (OU) structure?

A. To answer this, I modified the script in the FAQ "How can I create a summary of the contents of the organizational units (OUs) in my environment?" so that it outputs to a HTML file and includes the total number of OUs and the maximum depth of OUs that it found. Download the code and extract the oulisthtmlgraph.vbs file from oulist.zip. (The zip file also contains oulisthtml.vbs, an earlier version of the script that doesn't output HTML graphics.) In addition, oulist.zip contains five image files, which you should place in a folder named "images" in the directory where your output HTML file will be stored. (Placing the image file in this location ensures that Microsoft Internet Explorer (IE) can find the graphics when it opens the HTML file.) The figure shows an example of the script's HTML output

Q. How can I create a summary of the contents of the organizational units (OUs) in my environment?

A. I recently needed to quickly document a client's OU structure for a domain and had to include in the documentation the number of users, groups, computers, and contacts in each OU. To achieve this, I wrote a short script--oulist.vbs--that uses Microsoft Active Directory Service Interfaces (ADSI) to interrogate Active Directory (AD) and produce a report that details the specified container's content. To use oulist.vbs, you can either save the following code into a file (name it oulist.vbs) or download the script. Option Explicit

Dim strLdapPath, objConnection, objChild, dtmCreateDim totalUsers, totalComputers, totalGroups, totalContacts

totalUsers=0totalGroups=0totalComputers=0totalContacts=0

' Check that all required arguments have been passed.If Wscript.Arguments.Count < 1 Then

Page 99: Interview Questions Dump

Wscript.Echo "Arguments required. For example:" & vbCrLf _ & "cscript oulist.vbs ou=test,dc=demo,dc=test" Wscript.Quit(0)End If

strLdapPath = Wscript.Arguments(0)Wscript.Echo " " & strLdapPath

call GetDetail(strLdapPath," ")

WScript.Echo vbCrLf & " Totals: " & totalUsers & " users " & _ totalGroups & " groups " & totalComputers & " computers " & _ totalContacts & " contacts"Wscript.Echo "Operation Completed"

Function GetDetail(strLdapPathNow, indent)

Dim userCount, groupCount, computerCount, contactCount

userCount=0 groupCount=0 computerCount=0 contactCount=0

Set objConnection = GetObject("LDAP://" & strLdapPathNow)

For Each objChild In objConnection

if objChild.class = "user" then userCount=userCount+1 totalUsers=totalUsers+1 end if

if objChild.class = "group" then groupCount=groupCount+1 totalGroups=totalGroups+1 end if

if objChild.class = "computer" then computerCount=computerCount+1 totalComputers=totalComputers+1 end if

if objChild.class = "contact" then contactCount=contactCount+1 totalContacts=totalContacts+1 end if

Next

WScript.Echo indent & "(" & userCount & " users " & groupCount _ & " groups " & computerCount & " computers " _ & contactCount & " _ contacts)"

objConnection.Filter = Array("organizationalUnit")

Page 100: Interview Questions Dump

For Each objChild In objConnection

WScript.Echo indent & "- " & objChild.Name call GetDetail(objChild.Name & "," & strLdapPathNow, _ indent & " ")

Next

End Function

Oulist.vbs calls the GetDetail function to check the content of the passed container. The script then checks for OUs in the current container and, for each OU it finds, calls the function again. A process that calls itself is known as a recursive process. Running oulist.vbs produces output on screen that's similar to the following:C:\scripts>cscript oulist.vbs dc=savilltech,dc=netMicrosoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

dc=savilltech,dc=net (0 users 0 groups 0 computers 0 contacts) - OU=Domain Controllers (0 users 0 groups 1 computers 0 contacts) - OU=test (0 users 0 groups 0 computers 0 contacts) - OU=subtest1 (0 users 0 groups 0 computers 0 contacts) - OU=subsubtest1 (0 users 0 groups 0 computers 0 contacts) - OU=subsubtest2 (0 users 0 groups 0 computers 0 contacts) - OU=subtest2 (0 users 0 groups 0 computers 0 contacts) - OU=subsub2test1 (0 users 0 groups 2 computers 0 contacts) - OU=subsub2test2 (1 users 1 groups 1 computers 1 contacts) - OU=subsubsubtest (0 users 0 groups 0 computers 0 contacts)

Totals: 1 users 1 groups 4 computers 1 contactsOperation Completed

It's important to use the Cscript command; if you don't specify Cscript, every line of text in the output will pop up in a dialog box.

Q. Can I add a Windows Server 2003 domain controller (DC) to a Windows 2000 Server domain?

A. If you have only Win2K Server DCs in a domain and attempt to run Dcpromo from a Windows 2003 server so that it can join the domain, the command will fail and the error message that the figure at http://www.windowsitpro.com/articles/images/install2003dcinto2000foresterror.gif shows will be displayed. Before you can make a Windows 2003 server a DC in an existing Win2K Server domain, you must run the forest and domain preparation utility--

Page 101: Interview Questions Dump

Adprep--which you can find in the \i386 folder on the Windows 2003 CD-ROM--by running the commandsadprep /forestprepadprep /domainprep

Be aware that these commands alter the schema and configuration of your forest and domain--especially if you have Microsoft Exchange 2000 Server installed--which can cause problems with the Windows 2003 forest preparation. (I'll cover the steps you need to take to avoid such problems in an upcoming FAQ.)

Q. How can I configure the replication interval within an Active Directory Application Mode (ADAM) site?

A. By default, all your ADAM replicas are in the same site. Because replication within a site is based on notification--that is, when a server has a change, it notifies its replication partners of the update--by default changes should be replicated almost instantly. A replication schedule exists for intrasite replication; however, this schedule applies only when no update-based replication has occurred within the standard replication time interval. To modify the default replication interval within a site, perform these steps:

65. Start the ADAM ADSI Edit tool (Start, Programs, ADAM, ADAM ADSI Edit). 66. If ADAM ADSI Edit doesn't open the Configuration partition by default, connect

to it by right-clicking the ADAM ADSI Edit root in the treeview pane and selecting "Connect to"; otherwise, go to step 4.

67. At the dialog box that the figure at Figure shows, enter a connection name of "Configuration." (Leave the default server name and port number unless you changed the port during installation.) Under Connect to the following node, select "Well-known naming context" and choose "Configuration." Click OK.

68. Expand the Configuration partition, expand sites, and select the site name (which by default is Default-First-Site-Name--the same as with Active Directory--AD).

69. Right-click CN=NTDS Site Settings in the right pane and select Schedule from the displayed context menu.

70. In the Schedule window, which the figure at Figure shows, you can set the default replication interval (if no update replications have occurred). By default, the interval is once per hour.

71. Click OK.

Q. How can I manually force a replication of an Active Directory Application Mode (ADAM) partition?

A. You can use the ADAM version of Repadmin to force a replication by performing the following steps:

72. Start an ADAM tools command prompt (Start, Programs, ADAM, ADAM Tools Command Prompt).

73. Type the command repadmin /syncall localhost:389 <partition name>

You'll need to change the port number in the command if you've assigned the ADAM instance a different port.

Messages similar to the following will be displayed:

Page 102: Interview Questions Dump

Syncing partition: cn=App1,o=Savilltech,c=USCALLBACK MESSAGE: The following replication is in progress:From: adamtest1.savilltech.com:389To : adamtest2.savilltech.com:389CALLBACK MESSAGE: The following replication completed successfully:From: adamtest1.savilltech.com:389To : adamtest2.savilltech.com:389CALLBACK MESSAGE: SyncAll Finished.SyncAll terminated with no errors.This shows a successful replication.

Q. How can I add a user to a group by using Microsoft Active Directory Service Interfaces (ADSI) in a script?

A. You can use VBScript code that's similar to the following snippet, which adds a user to a group by using the user's distinguished name (DN):Set grp = GetObject("LDAP://cn=testgrp,ou=testing,dc=savilltech,dc=com")Set oUser = GetObject("LDAP://cn=user1,ou=testing,dc=savilltech,dc=com")grp.Add(oUser.AdsPath)grp.SetInfo

Q. How can I use Microsoft Active Directory Service Interfaces (ADSI) to disable a user account?

A. Assuming that you've already defined an objUser variable in a VBScript script that points to the user you want to disable, you can disable a user account by adding the following code to your script:objUser.AccountDisabled = TrueobjUser.SetInfo

Q. How can I use Microsoft Active Directory Service Interfaces (ADSI) to check a user's enabled or disabled state?

A. Each user object has an AccountDisabled property. To check whether an account is disabled, you can run a simple script that uses a True or False condition statement, such as this:If objChild.AccountDisabled Then objDisabledStat = "Y"Else objDisabledStat = "N"End If

Q. How can I create a file that contains all user profiles that were created before a specific date? A. Recently, I had a client who had an Error! Hyperlink reference not valid. unit (OU) that served as a temporary holding container for recently created user Error! Hyperlink reference not valid.. Ideally, the OU shouldn't hold accounts for more than one month. Over time, the OU had accumulated more than 50,000 accounts, and the client wanted to delete from it all accounts older than 60 days.

Page 103: Interview Questions Dump

I used a two-phase approach to meet the client's request. First, I created a text file (userlist.txt) to hold a list of all the accounts older than 60 days. The entries in the file are distinguished name (DN) of objects. Then, I wrote the listusersolder.vbs script, which used the information in that file to output the list of accounts that are more than 60 days old. I used another script, which I provide in the FAQ "How can I delete from Error! Hyperlink reference not valid. (AD) user accounts that are listed in a file?" (FAQ), to delete all accounts in the file. You can download listusersolder.vbs at Code. Save the script as listusersolder.vbs. Remember to modify the script to include information specific to your installation.'listusersolder.vbs' John Savill 19 August 2004Option Explicit

Dim strFilePath, strLdapPath, strDate, objFSO, objFile, objConnection,objChild, dtmCreate, selectedDate

' Check that all required arguments have been passed.If Wscript.Arguments.Count < 3 Then Wscript.Echo "Arguments required. _ For example:" & vbCrLf & "cscript listusersolder.vbs _ ou=test,dc=demo,dc=test 6/10/2004 c:\temp\UserList.txt" Wscript.Quit(0)End If

strLdapPath = Wscript.Arguments(0)strDate = Wscript.Arguments(1)selectedDate = DateValue(strDate)

strFilePath = Wscript.Arguments(2)

Set objFSO = CreateObject("Scripting.FileSystemObject")

' Open the file for write access.On Error Resume NextSet objFile = objFSO.OpenTextFile(strFilePath, 2, True, 0)If Err.Number <> 0 Then On Error GoTo 0 Wscript.Echo "File " & strFilePath & " cannot be opened" Wscript.Quit(1)End IfOn Error GoTo 0

Set objConnection = GetObject("LDAP://" & strLdapPath)objConnection.Filter = Array("user")

For Each objChild In objConnection objChild.GetInfoEx Array("createTimeStamp"), 0 dtmCreate = objChild.Get("createTimeStamp")

if dtmCreate < selectedDate then WScript.Echo objChild.Name & vbTab & dtmCreate & " *" objFile.WriteLine objChild.distinguishedName & "|" & dtmCreate else WScript.Echo objChild.Name & vbTab & dtmCreate end if

Page 104: Interview Questions Dump

Next

' Close file connectionobjFile.Close

Wscript.Echo "Operation Completed"

To run listusersolder.vbs, you pass it the name of a root-level container to check for accounts older than the date passed, an "older-than" date, and the name of a file to output the old accounts to, as the following sample command shows:cscript listusersolder.vbs ou=testing,dc=demo,dc=local 6/10/2004 c:\temp\list.txt

You'll see output on screen that's similar to this:Error! Hyperlink reference not valid. (R) Windows Script Host Version 5.6Copyright (C) Error! Hyperlink reference not valid. 1996-2001. All rights reserved.

CN=Barry Allen 6/2/2004 10:59:32 PM *CN=Bruce Wayne 6/11/2004 6:30:40 PMCN=Clark Kent 6/2/2004 10:55:14 PM *CN=DeleteMe 8/19/2004 4:02:04 PMOperation Completed

Notice that any account that was created before 6/10/2004 has an asterisk (*) next to it. The contents of the list.txt file look like the following:CN=Barry Allen,OU=testing,DC=demo,DC=local|6/2/2004 10:59:32 PMCN=Clark Kent,OU=testing,DC=demo,DC=local|6/2/2004 10:55:14 PM

In the text file, a pipe character (|) separates the account and its creation time.

Q. How can I delete from Active Directory (AD) user accounts that are listed in a file?

A. To delete the accounts listed in the file that I created in the FAQ, "How can I create a file that contains all user profiles that were created before a specific date?" (FAQ), ), I first created a text file that included information in the following format:|[optional info after the pipe]|[optional info after the pipe]

etc.For example:CN=test1,OU=testing,DC=demo,DC=local|6/2/2004 10:59:32 PMCN=test2,OU=testing,DC=demo,DC=local|6/2/2004 10:55:14 PM

A pipe character (|) must follow the account's distinguished name (DN); the script ignores what follows the pipe.I then wrote the delusersfromfile.vbs script, which deletes the accounts listed in the file. You can download the script at Code. Save the script as delusersfromfile.vbs. Remember to modify the script to include information specific to your installation.Option Explicit

Dim strFilePath, objFSO, objFilesTarget, sUser, objParent, sLine, aLine, _ sDN, oUser

Page 105: Interview Questions Dump

' Check that all required arguments have been passed.If Wscript.Arguments.Count < 1 ThenWscript.Echo "Arguments required. For example:" & vbCrLf _& "cscript delusersfromfile.vbs c:\temp\UserList.txt"Wscript.Quit(0)End If

strFilePath = Wscript.Arguments(0)

Const ForReading = 1

Set objFSO = CreateObject("scripting.filesystemobject")Set objFilesTarget = objFSO.OpenTextFile(strFilePath,ForReading,True)

Do While objFilesTarget.AtEndOfStream <> True sLine = objFilesTarget.ReadLine aLine = split(sline, "|",-1,1) sDN = aLine(0)

On Error Resume Next

sUser = "LDAP://" & sDN

wscript.echo sUser

Set oUser = GetObject(sUser) Set objParent = GetObject(oUser.parent) objParent.Delete "User", (oUser.Name)Loop

Set oUser = Nothing

To run delusersfromfile.vbs, at a command prompt entercscript delusersfromfile.vbs c:\temp\list.txt

You'll see output on screen that's similar to this:Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

LDAP://CN=test1,OU=testing,DC=demo,DC=localLDAP://CN=test2,OU=testing,DC=demo,DC=local

After executing delusersfromfile.vbs, you could run a script to verify whether the accounts have been deleted. For example, you could run the listusersolder.vbs script that I discuss in "How can I create a file that contains all user profiles that were created before a specific date?"; the list that the script outputs should be empty of old accounts.

Q. How can I create a list that includes all user profiles in a particular container and the date and time they were created?

A. I've created the following Error! Hyperlink reference not valid., listusers.vbs, which passes the name of a Lightweight Error! Hyperlink reference not valid. Protocol (LDAP) container, then uses this name to generate a list all user profiles in the container

Page 106: Interview Questions Dump

and their creation date (GMT). You can download the script at Code. Save the script as listusers.vbs. Remember to modify it to include information specific to your installation.'listusers.vbs' John Savill 19 August 2004Option Explicit

Dim strLdapPath, objConnection, objChild, dtmCreate

' Check that all required arguments have been passed.If Wscript.Arguments.Count < 1 Then Wscript.Echo "Arguments required. For example:" & vbCrLf _ & "cscript listusers.vbs ou=testing,dc=demo,dc=test" Wscript.Quit(0)End If

strLdapPath = Wscript.Arguments(0)

Set objConnection = GetObject("LDAP://" & strLdapPath)objConnection.Filter = Array("user")

For Each objChild In objConnection objChild.GetInfoEx Array("createTimeStamp"), 0 dtmCreate = objChild.Get("createTimeStamp")

WScript.Echo objChild.Name & vbTab & dtmCreate

Next

Wscript.Echo "Operation Completed"

I place the cscript command at the beginning of the call to the listusers.vbs file. Specifying cscript forces the script to run in the CScript (i.e., command window) environment. If you don't specify cscript, each user in the list will be displayed in a dialog box. In the sample code here, the passed LDAP container is an Error! Hyperlink reference not valid. unit (OU) called testing (ou=testing) in the demo.local domain (dc=demo,dc=local).To run the script, at a command prompt entercscript listusers.vbs ou=testing,dc=demo,dc=local

You'll see output on screen that's similar to this:Error! Hyperlink reference not valid. (R) Windows Script Host Version 5.6Copyright (C) Error! Hyperlink reference not valid. 1996-2001. All rights reserved.

CN=Barry Allen 6/2/2004 10:59:32 PMCN=Bruce Wayne 6/11/2004 6:30:40 PMCN=Clark Kent 6/2/2004 10:55:14 PMCN=DeleteMe 8/19/2004 4:02:04 PMOperation Completed

Q. How can I verify that my Active Directory Application Mode (ADAM) partition replica addition worked?

Page 107: Interview Questions Dump

A. On the replica Error! Hyperlink reference not valid., open the ADAM version of the Error! Hyperlink reference not valid. Error! Hyperlink reference not valid. Console (MMC) ADSI Edit snap-in (Start, Programs, ADAM, ADAM ADSI Edit) and connect to the replicated partition by following these steps:

74. Start the ADAM ADSI Edit tool on the replica server. 75. Right-click the ADAM ADSI Edit root in the treeview pane and select "Connect

to." 76. Enter a connection name and leave the server name as localhost and the port as

389 (unless you changed the port during installation). 77. Under "Connect to the following node," select the "Distinguished name (DN) or

naming context" option, which the figure at Figure shows, and enter the name of the partition you've replicated.

78. Click OK.If the replica addition works, ADSI Edit should now display the contents of your partition. It's a good idea to create an object in one copy of the replica and make sure it's replicated to the other members of the replica set. If the partition isn't cached, it hasn't replicated. If this occurs, you could try stopping and starting the ADAM service on the replica system, then try to reconnect.

Q. How can I add an Active Directory Application Mode (ADAM) replica to an existing ADAM instance?

A. ADAM lets you replicate partitions between ADAM servers. Like trees in an AD forest, the ADAM servers must share a common configuration and schema to replicate a partition. To add a replica to an existing ADAM instance, perform the following steps:

79. Double-click adamsetup.exe. 80. At the "Welcome to the Active Directory Application Mode Setup Wizard"

screen, click Next. 81. Select the "I accept the terms in the license agreement" option and click Next. 82. Under the installation options, select to install "ADAM and ADAM

administration tools" and click Next. 83. You can now select the type of instance to create--a new unique instance or a

replica of an existing instance. Select the "A replica of an existing instance" option and click Next.

84. Enter the instance name for this ADAM installation. This name, with the prefix ADAM_ appended to it, names the service--for example, if you enter the name portal1, the service name is ADAM_portal1. Click Next. To simplify matters, you might want to give this instance the same name as the instance you're replicating from.

85. Next, you're asked to specify the Lightweight Directory Access Protocol (LDAP) ports to use. Enter you port numbers you want and click Next. For more information about LDAP ports, see the FAQ "How do I install Active Directory Application Mode (ADAM)?"

86. At the window that the figure at Figure shows, enter the existing server name and the number of its LDAP port that you want to join. (Specify a host or DNS name for the server name, not an IP address.) Click Next.

Page 108: Interview Questions Dump

87. You're asked for credentials to be used to add this ADAM instance to the existing configuration set. Either select the current logged-on account or enter an account to use; click Next.

88. A list of partitions that are available on the existing ADAM server is displayed. Select the partitions you want to replicate and click Next.

89. Proceed with the steps as if you're performing a unique ADAM installation, as described in "How do I install Active Directory Application Mode (ADAM)?".

Q. How can I install Active Directory Application Mode (ADAM)?

A. Download the ADAM installation file at http://www.microsoft.com/windowsserver2003/adam/default.mspx and execute it. The file self-expands to a folder you select. Navigate to the selected folder and perform the following steps:

90. Double-click adamsetup.exe. 91. At the "Welcome to the Active Directory Application Mode Setup Wizard"

screen, click Next. 92. Select the "I accept the terms in the license agreement" option and click Next. 93. Under the installation options, select to install "ADAM and ADAM

administration tools" and click Next. 94. In the window that the figure at Figure shows, you can select the type of instance

to create--a new unique instance or a replica of an existing instance. Select the "A unique instance" option and click Next.

95. Enter the instance name for this ADAM installation. This name, with the prefix ADAM_ appended to it, names the service; for example, if you enter the name portal1, the service name is ADAM_portal1. Click Next to display the window that the figure at Figure shows.

96. Next, you must specify the Lightweight Directory Access Protocol (LDAP) ports to use. By default, the ports are 389 for regular communications and 636 for Secure Sockets Layer (SSL)-encrypted LDAP communications. If you're installing ADAM on an existing domain controller (DC), these ports are already in use, so you'll have to select other ports. Also, if you're installing a second instance of ADAM on a system and the first instance already uses ports 389 and 636, you'll need to select different port numbers. The recommended custom ports start at 50000, so you could use 50000 for LDAP and 50001 for SSL. Enter your port numbers and click Next.

97. You're then asked whether you want to create an application partition. If you select "Yes, create an application directory partition", you must enter a valid partition name--for example, "cn=App1,o=Savilltech,c=US"

Click Next. 98. Choose the location for the database files and recovery files. You can accept the

defaults (C:\program files\microsoft adam\<instance name>\data) or enter a custom location. Click Next.

99. Specify the account to run the ADAM service. In most cases you can use the default, "Network service account." Click Next. When the machine on which

Page 109: Interview Questions Dump

you're installing ADAM isn't in a domain and you select the Network service account, the wizard tells you that ADAM won't be able to replicate with other machines.

100. Next, you're prompted to specify the ADAM default administrator. By default, this is the current user; alternatively, you can select "This account" and specify a different user or group--for example, the Domain Admins group. Click Next.

101. At the window that the figure at Figure shows, you can select the LDAP Data Interchange Format (LDIF) files to load. LDIF files define attributes and classes that will be added to your schema. For example, you can add the MS-InetOrgPerson type (i.e., the InetOrgPerson user definition). Select the "Import the selected LDIF files for this instance of ADAM" option, add the .ldf files you want to import to the "Selected LDIF files" list, and click Next.

102. At the summary screen, click Next. 103. After the ADAM installation is done, click Finish.

ADAM is now installed. You can check your installation by starting the ADAM ADSI Edit tool and making sure you can connect. If you run the commandnet start

at a command prompt, you'll see a service listed that's the name of your instance (without the ADAM_ prefix). If you received an error during installation about creating a folder in the \windows\adam folder, simply manually create an empty \adam folder under the \windows folder and retry the installation.

Q. Why can I use only the NetBIOS domain name and not the DNS domain name to join a computer to a domain that's been upgraded from Windows NT Server 4.0 to Windows Server 2003 or Windows 2000 Server? A. After you've upgraded an NT-based domain to Active Directory (AD), you should be able to use either the domain's NetBIOS name (e.g., savilltech) or its DNS name (e.g., savilltech.com) to join computers to the domain. If you can join a computer to the domain only by using its NetBIOS name, an incorrect DNS configuration might be the source of the problem. You can check a system's DNS configuration by entering the following lines at the command prompt. (The text that's enclosed in quotes represents messages that are displayed after you type the indicated commands.)

nslookup"Default Server: omega.savilltech.comAddress: 10.0.0.1"

set type=srv_ldap._tcp.savilltech.com"Server: omega.savilltech.comAddress: 10.0.0.1"

"_ldap._tcp.savilltech.com SRV service location:priority = 0weight = 100port = 389svr hostname = omega.savilltech.comomega.savilltech.com internet address = 10.0.0.1"

exit

Page 110: Interview Questions Dump

Instead of _ldap._tcp.savilltech.com, enter _ldap._tcp, followed by your DNS domain name. If the nslookup command finds DNS records, your system's DNS configuration is probably correct. If nslookup finds no DNS records, check your DNS entries and, if they're correct, check the DNS server itself.

If your DNS configuration is in order, your domain controllers (DCs) might have the NT4Emulator registry entry enabled, which means they're emulating NT 4.0 DCs and thus won't respond to AD-style requests. You can test whether NT4Emulator is enabled on your DCs by configuring the neutralize NT4Emulator option on the client you're trying to join to the domain:

Start the registry editor (regedit.exe). Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetlogonParameters subkey. From the Edit menu, select New and click DWORD Value. Enter the name NeutralizeNT4Emulator and press Enter. Double-click the value and set it to 1. Click OK. Close the registry editor.You don't need to restart the computer or log off; just try again to join the computer to the domain by using the DNS domain name. If the computer joins the domain successfully, you must either disable the NT4Emulator on the DCs or configure the NeutralizeNT4Emulator value on all machines on which you want to use the DNS name for the domain.Q. How can I determine whether my new Global Catalog (GC) is ready to service clients?

A. When you enable a domain controller (DC) as a GC, the DC can't start offering a GC service immediately. If you have multiple domains, the GC has to replicate information from another GC or for other domains before it can start functioning as a GC. By default, the new GC will wait at least 5 minutes before offering itself as a GC. You can check the Directory Service event log for event ID 1119, which confirms the server is now a GC.If you want to automatically check the status of a new GC, you can create the following VBScript script on the DC:Set objRootDSE= GetObject("LDAP://RootDSE")Wscript.Echo "GC ready: " & objRootDSE.Get("isGlobalCatalogReady")

Save the code in a file called gcready.vbs. Then, to run the script, enter the commandcscript gcready.vbs

Q. How can I check the status of the Relative Identifier (RID) pool on a domain controller (DC)?

A. Windows gives every DC a pool of RIDs and adds to the pool as necessary in batches of 500. To check the range of RIDs in a current pool, run the commanddcdiag /v /test:ridmanager

where /v specifies verbose mode and /test:ridmanager tells the command to run only the RID Manager test and not the other default tests.The command displays the next RID that will be allocated to an object created on the DC and the range of currently allocated RIDs, as in the following sample output:Testing server: Gotham\VPC2003DC1MNTest omitted by user request: ReplicationsTest omitted by user request: TopologyTest omitted by user request: CutoffServersTest omitted by user request: NCSecDescTest omitted by user request: NetLogonsTest omitted by user request: AdvertisingTest omitted by user request: KnowsOfRoleHoldersStarting test: RidManager

Page 111: Interview Questions Dump

* Available RID Pool for the Domain is 2608 to 1073741823 * omega.savilltech.com is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 2108 to 2607 * rIDPreviousAllocationPool is 2108 to 2607 * rIDNextRID: 2156 ......................... VPC2003DC1MN passed test RidManager

In this example, the range of RIDs that can be allocated is from 2108 to 2607, and the next RID that will be allocated is 2156, which means that the pool contains 451 unallocated RIDs (2607-2156).Notice that in this sample output, rIDAllocationPool and rIDPreviousAllocationPool are the same. That won't always be the case, however. rIDPreviousAllocationPool is the pool that RIDs are currently being taken from for object SID allocation. When more than a specified percentage of RIDs in this pool have been allocated (50 percent for Windows 2000 Service Pack 4--SP4--and later), the OS asks the DC that holds the RID Flexible Single-Master Operation (FSMO) role for another batch of RIDs to add to rIDAllocationPool. When rIDPreviousAllocationPool is totally depleted, the OS Error! Hyperlink reference not valid. the RIDs from rIDAllocationPool into rIDPreviousAllocationPool and starts using the copied RIDs as needed. This process ensures that a temporary interruption in Error! Hyperlink reference not valid. with the RID FSMO DC doesn't prevent DCs from creating new objects because their RID pools are exhausted.

Q. Can I change the Relative Identifier (RID) of a built-in object?

A. The RID values are hard-coded in the Windows OS code through header files and shouldn't be changed. Even if you did manage to change a RID, much of the internal OS code refers to the built-in objects by their RIDs instead of their names. Thus, changing the RIDs could cause a lot of problems for your Windows systems.

Q. What are the Relative Identifiers (RIDs) of a domain's built-in accounts?

A. Every object in a domain has a SID, which consists of the domain's SID and a RID. For built-in objects, such as built-in Error! Hyperlink reference not valid., these RIDs are hard-coded. The table at Table lists the built-in objects, their RIDs, and the object type. The fact that RIDs are hard-coded explains why merely renaming, say, the Domain Administrator object doesn't often thwart an intruder, who can simply locate the account by using the RID 500. However, you can create a honeypot by renaming the Domain Administrator account and creating a new account called Domain Administrator that has no permissions. You can use the bogus Domain Administrator account to fool hackers into attacking it, then log the attacks and delay any real damage to the bona fide Domain Administrator account.

Q. What's the DNS _msdcs zone for the forest root domain used for?

A. Active Directory (AD) uses DNS as its locator service to support the various types of services that AD offers, such as Global Catalog (GC), Kerberos, and Lightweight Directory Access Protocol (LDAP). Other non-Microsoft services can be advertised in the DNS, including--but not restricted to--non-Microsoft implementations of LDAP and

Page 112: Interview Questions Dump

GC. However, sometimes clients might need to contact a Microsoft-hosted service. For that reason, each domain in DNS has an _msdcs subdomain that hosts only DNS SRV records that are registered by Microsoft-based services. The Netlogon process dynamically creates these records on each domain controller (DC). The _msdcs subdomain also includes the globally unique identifier (GUID) for all domains in the forest and a list of GC servers.If you install a new forest on a system that runs Windows Server 2003 and let the Dcpromo wizard configure DNS, Dcpromo will actually create a separate zone called _msdcs.<forest name> on the DNS server. This zone is configured to store its records in a forestwide application directory partition, ForestDNSZones, which is replicated to every DC in the forest that runs the DNS service. This replication makes the zone highly available anywhere in the forest.

D N S FAQs

Q. How can I specify a forwarding condition for a DNS domain?

A. To specify conditional forwarding for a DNS domain, perform these steps:104. Log on as a domain administrator on each DNS server for which you want

to add conditional forwarding. 105. Start the Error! Hyperlink reference not valid. Management Console

(MMC) DNS snap-in (Start, Programs, Administrative Tools, DNS). 106. Right-click the DNS server and select Properties. 107. Select the Forwarders tab. 108. Click the New button in the DNS domain section. 109. Enter the name of the DNS domain to which the forwarding will apply--

for example, savilltech.net--and click OK. 110. Enter the IP addresses of the DNS servers in the forwarded DNS domain

by typing the addresses one at a time in the Add field and clicking Add. You should add multiple entries for the DNS servers that service the zone for which you're forwarding. After you finish entering addresses, click OK.

After you've enabled conditional DNS forwarding, you should test whether it's working by performing a DNS resolution request for hosts that are in the DNS domains for which

Page 113: Interview Questions Dump

you've configured conditional forwarding. For example, to perform a test, you can use the Nslookup command to query DNS for records that would be serviced in the forwarded DNS domain.

Q. What's conditional DNS forwarding?

A. Windows 2000 Server DNS can forward DNS resolution requests that a DNS server can't resolve locally. This forwarding occurs when the request is for a domain for which the DNS server isn't authoritative and the request isn't in the DNS server's cache waiting to be forwarded to another DNS server. The ability to forward DNS resolution requests is a global setting that applies to all unresolvable addresses.Windows Server 2003 offers the ability to forward unresolvable requests to different DNS servers. Depending on the domain in which the request originated and whether the request matches multiple defined forwarding rules, the DNS server uses the IP address that corresponds to the forwarding rule that most closely matches the resolution request. For example, if a DNS server has forwarding configured as the table shows, the DNS server will forward a request for host143.marketing.ntfaq.com to 192.168.40.40, because that IP address is a closer match to marketing.ntfaq.com than it is to ntfaq.com.Conditional DNS forwarding is a useful feature that avoids the usual recursive nature of DNS resolution requests, in which DNS must first find DNS servers for .com, then ntfaq.com, and so on. If you have a large namespace, you might consider using conditional DNS forwarding to speed up resolution requests. This feature is also useful for connecting two organizations, especially if one organization uses a nonstandard namespace--for example, savilltech.local--that the typical DNS name-resolution process would never find.

Q. How can I use the name domain.com for a domain when that name is hosted on a DNS server that doesn't support service records?

A. Ideally, you'd migrate the DNS zone to a new Windows-based DNS server. If that isn't possible, don't use domain.com for your Active Directory (AD) domain. Instead, use either ads.domain.com or, if ads.domain.com isn't practical, domain.net.There's no reason to use domain.com. However, if you must use it and can't move the domain to another DNS server, you can delegate the four core subdomains that AD uses to a Windows DNS server. These subdomains are

_msdcs.domain.com _sites.domain.com _tcp.domain.com _udp.domain.com

You'd create subdomains as new zones on your Windows DNS server and enable dynamic update. These zones would then contain all the service records that AD needs. However, you'd still need to manually add a host (A) record in the main DNS zone for domain.com for each domain controller's (DC's) IP address (e.g., domain.com IN A 128.10.20.12) and one host record per DC. Adding these records is easy, although you must remember to update the A record if your IP addressing changes.

Page 114: Interview Questions Dump

Q. How can I merge multiple primary versions of the same DNS zone for different servers into one Active Directory-integrated zone?

A. Only one primary version of the DNS zone should exist for zones that aren't Active Directory-integrated. If necessary, you can create additional secondary versions of zones on other DNS servers to support fault tolerance and load balancing.If you have multiple primary versions of a zone that isn't Active Directory-integrated, those zones won't replicate or remain synchronized. Here are the possible actions that can occur when you move these multiple versions into Active Directory (AD) for storage:

After the first DNS server stores its zone information in AD, all subsequent DNS servers lose their DNS zone content and use the first DNS server's zone information in AD.

As each DNS server is modified to store its information in AD, the new DNS zone data overwrites the existing DNS zone data in AD.

As each DNS server is modified to store its information in AD, the new DNS server's data merges with the existing data.

When you opt to integrate the second instance of the zone (or any subsequent instance of the zone on a different DNS server) in AD--as explained in the FAQ "How can I change how DNS information is stored on a DNS server?" (http://www.winnetmag.com/articles/index.cfm?articleid=43104)--you can choose between the first and second options. In the Active Directory Service box, which the figure at Figure shows, you must select either "Discard the new zone, and load the existing zone from Active Directory" or "Overwrite the existing zone in Active Directory with the new zone." After you make your selection, click OK, then click OK again to confirm it.

Q. How can I change how DNS information is stored on a DNS server?

A. In Windows Server 2003, DNS information can be stored in the following ways: in the usual zone file type storage in the Active Directory (AD) domain partition in a domain-specific application partition that's replicated only to DNS servers in

the domain in a forestwide application partition that's replicated only to DNS servers in the

forest in a custom application partition that an administrator manually creates

To change how DNS information is stored, perform the following steps:1. Start the Error! Hyperlink reference not valid. Management Console

(MMC) DNS snap-in (Start, Programs, Administrative Tools, DNS). 2. Expand the "Forward Lookup Zones" leaf. 3. Right-click the zone whose storage you want to modify and select

Properties. 4. Select the General tab. You'll see a figure like the one at Figure. 5. Click the Change button to the right of the Type: entry.

Page 115: Interview Questions Dump

6. The Change Zone Type dialog box is displayed. To store DNS information in an AD domain partition, select the "Primary zone" zone type. (You must select "Primary zone" to use any option other than file-type storage.) Select the "Store the zone in Active Directory (available only if the DNS server is a domain controller)" check box and click OK.

7. If you've opted to store the data in AD, you can now change how it's replicated. To do so, click the Change button to the right of the Replication: entry on the zone properties General tab; the Change Zone Replication Scope dialog box will appear.

8. You can choose to replicate the data to all DNS servers in the forest, to the domain, or to all DCs in the domain. After you select an option, click OK.

9. Click OK on the zone properties General tab to accept the changes.

In a multi-DNS server environment, how do I configure the DNS servers to resolve both local and remote hosts?

A. Windows 2000, Windows NT, and Windows 9x let you identify multiple DNS servers. So, for example, you might have a local DNS server on your network and a remote DNS server if you connect to the Internet. In this situation, if you list your local DNS server first, you might not be able to resolve remote names, and if you list the remote DNS server first, you might not be able to resolve local names.In a multiple DNS server environment, if a client queries the first DNS server and that server doesn't respond, the client will query the second DNS server. If the first DNS server (e.g., a local DNS server that doesn't know about a remote host) responds with an unknown host, then the client won't query other DNS servers. Instead, the client will resort to using other methods (e.g., LMHOSTS, WINS) to resolve the domain name.To work around this problem, you need to configure your machines to forward DNS information, which typically means configuring local DNS server information on the clients and configuring the local DNS servers to forward unknown requests to the remote DNS servers.

After I promote my Windows 2000 domain controller (DC), its DNS suffix doesn't match the domain name. How can I fix this problem?

A. After you run DCPromo, you might receive a NetLogon event (ID 5781) or other dynamic registration errors in the System event log indicating failure to dynamically register DNS records.You can't rename the computer on the Network Identification tab. To correct this namespace problem, complete the following steps:

111. Use DCPromo to demote the DC to a member server.

Page 116: Interview Questions Dump

112. In the Control Panel, double-click System, click the Network Identification tab, and select the Change primary DNS suffix when domain membership changes option.

113. Run DCPromo to promote the member server to a DC. If you haven't run DCPromo yet, complete these steps:

10. After upgrading to Win2K, use regedt32 to navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters.

11. Set the data value of the SyncDomainWithMembership Value Name to 1. If you must add this Value Name, it is a REG_DWORD data type.

To avoid this namespace problem when you perform future updates, you can use How can I use slipstreaming to install Windows 2000 and a service pack at the same time?

How can I enable my web site to be accessible as ntfaq.com instead of www.ntfaq.com?

A. We are all used to entering www.<domain> for a web site, such as www.serverfaq.com, however www is just a normal DNS host record and if you want your site to be accessible as just <domain>, e.g. yahoo.com just create a blank host record.In Windows 2000 to create a blank host record for the domain perform the following:

114. Start the DNS MMC snap-in (Start - Programs - Administrative Tools - DNS)

115. Expand the server - forward lookup zones - DNS domain 116. Right click on the domain and select 'New Host' 117. Leave the name blank and just enter the IP address (check the create

associated pointer record box)Click here to view image

118. Click Add Host A new host record will be listed of the form:(same as parent folder) Host <ip address>To do this on NT 4.0 for the domain ntfaq.com at address W.X.Y.Z, do the following:

12. Stop the DNS service:C:\> net stop dns

13. Edit the file ntfaq.com.dns (found at %systemroot%\system32\dns\*.dns) 14. Find a record that looks like:

www IN A W.X.Y.Z 15. Add the following record below:

@ IN A W.X.Y.Z 16. Save the file 17. Restart DNS Service

C:\> net start DNS

How can I configure DNS to use a WINS server?

Page 117: Interview Questions Dump

A. Is is possible to configure the DNS to use a WINS server to resolve the host name of a Fully Qualified Domain Name (FQDN).

119. Start DNS manager (Start - Programs - Administrative Tools - DNS Manager)

120. Right click on the zone you wish to Error! Hyperlink reference not valid. with the WINS server and select properties

121. Click the "WINS Lookup" tab 122. Select the "Use WINS Resolution" check box and then enter the WINS

server IP address and click ADD 123. Click OK when finished

How do I turn off Dynamic DNS?

A. By default, the TCP/IP stack in NT 5.0 Beta 2 (and later builds) attempts to register it's Host (A) record with it's DNS server. This makes sense in an all NT (Windows 2000) environment. But if you are using a static, legacy DNS server, the DNS guys might not like all the 'errors' this shows up on their server since the DNS servers will not understand these "updates".You will get errors such as:

Dnsapi Failed to register network adapter with settings Sent update to server

To make the clients stop attempting to publish their DNS names/addresses to the DNS server perform the following:

124. Log on to each client as Administrator 125. Start the registry editor (regedit.exe) 126. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Services\Tcpip\Parameters 127. From the Edit menu select New - DWORD value 128. Enter a name of DisableDynamicUpdate and press Enter 129. Double click on the new value and set to 1. Click OK

If you have multiple adapters in the machine you may not want to disable for all so instead of setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableDynamicUpdate to 1, set as 0 and then move to the sub key Interfaces\<interface name> and create the DisableDynamicUpdate value there and set to 1.If you needed to perform this on a large number of machines you should create a reg script or set from the login script.

How do I configure a forwarder on DNS 5.0?

A. If you create a DNS server on your network but are not the main DNS server, i.e. your Error! Hyperlink reference not valid. has a central main DNS server, you will want to forward queries your DNS server cannot service to that DNS server.This is because only certain servers in your network will have access to DNS servers outside your network (due to firewalls etc) and thus your (departmental?) DNS server cannot access the DNS servers higher up in the DNS hierarchy. To configure a forward perform the following:

Page 118: Interview Questions Dump

130. Start the DNS Management MMC snap-in (Start - Programs - Administrative Tools - DNS Management)

131. Right click on the DNS server and select Properties 132. Select the "Forwarders" tab 133. Check the "Enable forwarder(s)" box 134. Enter the IP address of the DNS server and click Add 135. Click OK 136. Close the DNS Management snap-in

If you are missing the forwarder tab or its not available see Q. I am missing the forwarder and Root Hints tabs in DNS 5.0

How do I enable DNS round robin resolution?

A. Recent Windows NT service packs introduced LocalNetPriority which tries to return Host resources that are local to the requestor instead of using round robin however round robin can be enabled as follows:

137. Start the registry editor (regedit.exe) 138. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Services\DNS\Parameters 139. From the Edit menu select New - DWORD Value 140. Enter a name of LocalNetPriority and press Enter 141. Double click the new value and set to 0 to disable LocalNetPriority and re-

enable round robin. Click OK 142. Close the registry editor 143. Stop and restart the DNS service

DNS resolution of a valid domain fails on NT.

A. if you are running NT4 DNS with either SP4 or SP5 installed you may find a domain that resolves on Unix DNS servers server times out when you do an NSLOOKUP on NT.This is a known bug and a Quick Fix Engineering patch for NT bug 267085 is available from Error! Hyperlink reference not valid. support or wait for SP6 to come out.

How can I force a Windows 2000 domain controller to re-register its DNS entries?

A. To re-register the domain controller DNS entries perform one of the following:144. Stopping & start the netlogon service which will reregister all SRV

records inthe netlogon.dns file.

145. Netdiag /fix will also do this. 146. Ipconfig /registerdns

How can I stop DNS Cache pollution?

Page 119: Interview Questions Dump

A. DNS cache pollution can occur if Directory Naming Service (DNS) "spoofing" has been encountered. The term "spoofing" describes the sending of non-secure data in response to a DNS query. It can be used to redirect queries to a rogue DNS server and can be malicious in nature.Windows NT DNS can be configured to filter out responses to unsecured records by performing the following:

147. Start the registry editor (regedit.exe) 148. Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\

Services\DNS\Parameters 149. From the edit menu select New - DWORD value 150. Enter a name of SecureResponses and press Enter 151. Double click the new value and set to 1. Click OK

The following is taken from Knowledge base article Q198409 which helps understand this more:"Examples: DNS server makes MX query for domain.samples.microsoft.com to samples.microsoft.com's DNS server. The samples.microsoft.com DNS server responds but includes A record for A.ROOT-SERVERS.NET giving its own address. The rogue DNS server has then gotten itself set up as a root server in your DNS server's cache. Less malicious, but more common, are referral responses (or direct responses from BIND, see WriteAuthorityNs for discussion) that contain records for the DNS of an ISP: Authority section:

new.samples.microsoft.com NS ns.new.samples.microsoft.com.new.samples.microsoft.com NS ns.isp.samples.microsoft.com.

Additional section:

ns.new.samples.microsoft.com. A 1.1.1.1ns.isp.samples.microsoft.com. A 2.2.2.2

NOTE: The address record for the ISP happens to be old\stale. If SecureResponses is on, records that are not in a subtree of the zone queried are eliminated. For example, in the example above, the samples.microsoft.com. DNS server was queried, so the all the samples.microsoft.com records are secure, but the ns.isp.microsoft.com. A record is not in the sample .microsoft.com. subtree, and is not cached or returned by the DNS server."

D H C P FAQs

How often do DHCP servers authorize with Active Directory (AD)?

A. Before a Windows 2000 Server or later DHCP server that's either part of a domain or on a network that has an AD domain can start its DHCP service, the service must be authorized with AD. When the DHCP service starts, it queries AD to confirm its authorization status and continues to query AD every 60 minutes thereafter to confirm that it's still authorized.

Page 120: Interview Questions Dump

DHCP servers that are members of a workgroup send out DHCPINFORM messages asking other DHCP servers on the network to respond. If a DHCP server that's part of an AD domain responds, the DHCP service won't start. You can change the 60-minute authorization check by performing this registry change:

152. Start the registry editor (regedit.exe). 153. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Services\DHCPServer\Parameters registry subkey. 154. From the Edit menu, select New, DWORD value. 155. Enter the name RogueAuthorizationRecheckInterval and press Enter. 156. Double-click the new value and set it to the number of minutes between

authorization checks (e.g., 120 for 2 hours) and click OK. To disable DHCP server authorization checks, perform these steps:

18. Start the registry editor. 19. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Services\DHCPServer\Parameters subkey. 20. From the Edit menu, select New, DWORD value. 21. Enter the name DisableRogueDetection and press Enter. 22. Double-click the new value and set it to 1. Click OK.

How do I run the DHCP service on a domain controller (DC) by using an account other than the DC's account?

A. After you install DHCP on a DC, for security purposes you might want to configure the DHCP service to run under a specific set of credentials other than the DC's computer account. When running on the DC account, the DHCP service could overwrite dynamic records that shouldn't be modified (e.g., the DC's service records), thereby posing a potential security risk. You can reduce this risk by running the DHCP service under alternate credentials, which you configure by running this command: netsh dhcp server set dnscredentials <username> <domain> <password> You can use any account with this command; just make sure to set its password to not expire.

Why is my Windows XP DHCP client address set to 0.0.0.0?

A. You might experience a problem with the DHCP client address if you uninstall Symantec's Norton AntiVirus but leave the application listed as a dependency for the DHCP service. If you check the System log, you might notice the following error: Error 7003 - DHCP service failed to start because dependency service SYMTDI will not start.

To resolve this problem, perform the following steps: 157. Start a registry editor (e.g., regedit.exe). 158. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Services\Dhcp registry subkey. 159. Double-click DependOnService. 160. Remove SYMTDI from the list, then click OK.

Click here to view image

Page 121: Interview Questions Dump

161. Restart the computer for the changes to take effect.

How can I configure my DHCP clients to request unicast responses from my DHCP server?

A. Unicast is any network Error! Hyperlink reference not valid. between a single sender and a single receiver. DHCP server responses typically use multicast communication to Error! Hyperlink reference not valid. to all DHCP clients within a limited broadcast address (e.g., 255.255.255.255). However, you can configure the registry on Windows NT 4.0 or later DHCP servers to let clients request a unicast response, rather than a multicast response, from the DHCP server by performing the following steps:

162. Start a registry editor (e.g., regedit.exe). 163. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Services\DHCPServer\Parameters registry subkey. 164. Double-click IgnoreBroadcastFlag (or create this value of type DWORD if

it doesn't already exist). 165. Set IgnoreBroadcastFlag to 1 to ignore the DHCP client request flag and

always multicast responses or 0 to let the client choose between unicast or multicast, then click OK.

166. Close the registry editor. 167. Reboot the server.

Pre-NT 4.0 DHCP versions will ignore this registry setting.

How do I enable DHCP server logging?

A. To enable enhanced DHCP logging, perform the following steps: 168. Start the DHCP administration tool (go to Start, Programs, Administrative

Tools, and click DHCP). 169. Right-click the DHCP server, and select Properties from the context menu. 170. Select the General tab. 171. Select the "Enable DHCP audit logging" check box.

Click here to view image

172. Click OK. Windows 2000 will now create a DHCP log file in the %systemroot%\system32\dhcp directory for each day using a DhcpSrvLog.XXX file format. Common audit codes that might appear in the log include

00—The log was started. 01—The log was stopped. 02—The log was temporarily paused due to low disk space. 10—A new IP address was leased to a client. 11—A lease was renewed by a client. 12—A lease was released by a client.

Page 122: Interview Questions Dump

13—An IP address was found to be in use on the network. 14—A lease request could not be satisfied because the scope's address pool was

exhausted. 15—A lease was denied. 16—A lease was deleted. 17—A lease was expired. 20—A BOOTP address was leased to a client. 21—A dynamic BOOTP address was leased to a client. 22—A BOOTP request could not be satisfied because the scope's address pool for

BOOTP was exhausted. 23—A BOOTP IP address was deleted after verifying that it wasn't in use.

The DHCP Server uses codes above 50 for Rogue Server Detection information.

I used the DHCPEXIM tool to migrate a DHCP scope between machines. Now, why is the system not granting any new IP leases?

A. The DHCPEXIM tool (from the Windows 2000 Resource Kit, Supplement 1) lets you move scopes from one DHCP server to another. However, a bug causes the new scope not to grant IP leases. To resolve this problem, perform the following steps:

173. Start regedit.exe. 174. Go to HKEY_Local_Machine\Software\Microsoft\DhcpServer\

Configuration\Subnets\[IP address subnet]\IpRanges\[IP address start]. 175. Double-click RangeFlags. 176. Set RangeFlags to 1, 2, or 3 where

1 = DHCP only 2 = BootP only 3 = Both (DHCP and BootP)

177. Click OK. 178. Close regedit.

Why is my DHCP server not releasing client address leases?

A. A known problem exists with the Windows 2000 DHCP server that causes the server to ignore a lease release request from a client on another subnet because releasing the lease causes the DHCP server to use its own IP address instead of the client's. This problem occurs if you haven't defined a scope for the DHCP server's primary interfaces local subnet. To work around this problem, create a scope for the local subnet (you don't have to activate it).You can also manually delete the leases. Perform the following steps:

179. Start the Error! Hyperlink reference not valid. Management Console (MMC) DHCP snap-in (Start, Programs, Administrative Tools, DHCP).

180. Select the Scope that contains the leases to be deleted. 181. Select the Address Leases container. 182. Right-click the lease to be deleted and select Delete. 183. Click OK to the confirmation.

Page 123: Interview Questions Dump

How do I configure a client to use DHCP?

A. For NT workstation and Windows95 follow the instructions below: 184. Start the Network Control Applet by clicking on Network from Control

Panel (Start - Settings - Control Panel) or right click on Network Neighborhood and select Properties

185. Click on the Protocol tab 186. Select TCP/IP and click Properties 187. Select "Obtain an IP address from a DHCP Service". DHCP settings will

only override IP address and subnet mask locally configured. If you have configured DNS, WINS etc locally then the DHCP configuration will not overwrite it.

For Windows 98:23. Start the Network Control Applet by clicking on Network from Control Panel

(Start - Settings - Control Panel) or right click on Network Neighborhood and select Properties

24. Select 'TCP/IP -> Adapter' and click Properties 25. Select the 'IP address' tab 26. Select "Obtain an IP address automatically".

For a Windows 2000 machine perform the following:1. Right click on 'My Network Places' and select Properties 2. Right click on 'Local Area Connection' and select Properties 3. Select 'Internet Protocol (TCP/IP)' and click Properties 4. Select 'Obtain an IP address automatically" (and repeat for DNS) and click OK

What is DHCP?

A. DHCP stands for Dynamic Host Configuration Protocol and is used to automatically configure a host during boot up on a TCP/IP network and also to change settings while the host is attached.This means that you can store all the available IP addresses in a central database along with information such as the subnet mask, gateways, DNS servers etc.The basics behind DHCP is the clients are configured to use DHCP instead of being given a static IP address. When the client boots up it sends out a BOOTP request for an IP address. A DHCP server then offers an IP address that has not been assigned from its database, which is then leased to the client for a pre-defined time period.Click here to view imageIf the DHCP client is Windows 2000 and no offer is made and IP auto configuration has not been disabled the client will attempt to find and use an IP address not currently in use otherwise TCP/IP will be disabled

How do I install the DHCP Server Service?

A. The DHCP server service can only be install on a NT Server. 188. Start the Network Control Applet by clicking on Network from Control

Panel (Start - Settings - Control Panel) or right click on Network Neighborhood and select Properties

Page 124: Interview Questions Dump

189. Click on the Services tab and click Add 190. Select "Error! Hyperlink reference not valid. DHCP Server" and click

OK 191. You will be prompted to insert the NT Server installation CD or say where

the i386 directory is 192. A warning that all local adapters must use a static IP address and click OK 193. Click Close and select Yes to reboot

Under Windows 2000 to install perform the following:27. Start the Add/Remove Programs Control Panel applet (Start - Settings - Control

Panel - Add/Remove Programs) 28. In the left hand pane click 'Add/Remove Windows Components" 29. Click the 'Components' button to start the Components wizard 30. Click Next 31. Select 'Networking Services' and click Details 32. Check the 'Dynamic Host Configuration Protocol (DHCP)' option and click OK 33. Click Next and the relevant files and services will be configured. 34. Click Finish when all operations have completed 35. Click Close to the Add/Remove Programs dialog

How can I compress my DHCP database?

A. NT Server ships with a utility called JETPACK.EXE which can be used to compact DHCP and WINS databases. To compact your DHCP database perform the following:

194. Start a command prompt (cmd.exe) 195. Enter the following commands

cd %SystemRoot%\SYSTEM32\DHCP e.g. cd d:\winnt\system32\dhcpnet stop DHCPSERVER jetpack DHCP.MDB TMP.MDB net start DHCPSERVER

Note: While you stop the DHCP service, clients using DHCP to receive a TCP/IP address will not be able to start this protocol and may hang.Jetpack actually compacts DHCP.MDB into TMP.MDB, then deletes DHCP.MDB and Error! Hyperlink reference not valid. TMP.MDB to DHCP.MDB! Simple :-)For more information, see Knowledge base article Q145881 at http://support.microsoft.com/support/kb/articles/q145/8/81.asp

How can I move a DHCP database from one server to another?

A. Perform the steps below on the server that currently hosts the DHCP Server service. Be warned that while doing this no DHCP clients will be able to start TCP/IP so this should be done outside working hours.

196. Log on as an Administrator and stop DHCP (Start - Settings - Control Panel - Services - Error! Hyperlink reference not valid. DHCP server - Stop).

197. You also need to stop DHCP from starting again after a reboot so start the Services Control Panel applet and select Microsoft DHCP Server and click Startup. From the startup choose disabled and click OK.

Page 125: Interview Questions Dump

198. Copy the DHCP directory tree %systemroot%\system32\DHCP to a temporary storage area for use later.

199. Start the registry editor (regedt32.exe) 200. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Services\DHCPServer \Configuration 201. From the Registry menu, click Save Key. Create a name for this key, for

example dhcpcfg.bck 202. Close the registry editor

Optionally if you want to remove DHCP from the source machine totally delete the DHCP directory (%systemroot%\system32\dhcp) and then delete the DHCP Service (Start - Settings - Network - Services - Microsoft DHCP Server - Remove)On the new DHCP server perform the following

36. Log on as an Administrator 37. If the server does not have the DHCP server service installed, install it (Start -

Settings - Control Panel - Network - Services - Add - DHCP Server) 38. Stop the DHCP service (Start - Settings - Control Panel - Services - Microsoft

DHCP server - Stop). 39. Delete the contents of %systemroot%\system32\dhcp 40. Copy the backed up DHCP directory tree from the storage area to %systemroot

%/system32/dhcp, but rename the file system.mdb to system.src. You may not have this file if you are using NT 4.0, skip this step.

41. Start the registry editor (regedt32.exe) 42. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

DHCPServer\Configuration and select it 43. From the registry menu select restore 44. Located the file dhcpcgf.bck you saved from the original machine and click open 45. Click Yes to the warning 46. Close the registry editor 47. Reboot the machine

How do I create a DHCP Relay Agent?

A. A. If you have routers separating some of your DHCP clients from the DHCP server you may have problems if they are not RFC compliant. This can be solved by placing a DHCP relay agent on the local network area which is not actually a DHCP server which communicates on behalf of the DHCP Server. The DHCP Relay Agent must be a Windows NT Server computer.

203. On the NT Server log on as an Administrator 204. Start the Network control panel applet (Start - Settings - Control Panel -

Network) 205. Click the Services tab and click Add 206. Select "DHCP Relay Agent" and click OK 207. Type the path of the files (e.g. d:\i386) and click OK 208. You will be asked if you wish to add IP address to the DHCP servers list,

click Yes 209. Click the DHCP relay tab and click Add

Page 126: Interview Questions Dump

210. In the DHCP Server field enter the IP address of the DHCP Server and click Add

211. Click OK 212. Restart the computer

Email this Article Printer-Friendly Reader Comments Subscribe to Windows IT Pro RSS feed

[January 9, 2000] How can I backup the DHCP database? John SavillInstantDoc #13476John Savill's FAQ for Windows IT Jobs at DiceSearch 65k+ new IT jobs daily. Tech jobs at top companies.A. The DHCP database backs itself up automatically every 60 minutes to the %SystemRoot%\System32\Dhcp\Backup\Jet directory. This interval can be changed:

Start the registry editor Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupInterval Double click on BackupInterval and set to the number of minutes you want the backup to be performed. Click OK Close the registry editor Stop and restart the DHCP server service (Start - Settings - Control Panel - Services - DHCP Server - Start and Stop) You could backup the %SystemRoot%\System32\Dhcp\Backup\Jet directory if you wish.

How can I restore the DHCP database?

A. Perform one of the following: 213. When the DHCP Server service starts, if an error is detected in the

database it will automatically restore the backup version 214. Edit the registry and set HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Services\DHCPServer\Parameters\RestoreFlag to 1, restart the DHCP Server service, this will restore the backed up version and set RestoreFlag back to the default 0

215. Stop the DHCP Server service, copy the files from %SystemRoot%\System32\Dhcp\Backup\Jet to %SystemRoot%\System32\Dhcp and then start the DHCP Server service.

How do I reserve a specific address for a particular machine?

A. A. Before performing this you will need to know the hardware address of the machine and this can be found by entering the commandipconfig /allLook for the linePhysical Address. . . . . . : 00-60-97-A4-20-86

Page 127: Interview Questions Dump

Now at the DHCP server perform the following 216. Log on as an Administrator 217. Start the DHCP Server management software (Start - Programs -

Administrative Tools - DHCP Manager) 218. Double click on the DHCP server, e.g. *Local Machine* 219. Select the light bulb and from the Scope menu select "Add Reservations" 220. In the Add Reserved Clients dialog box you should enter the IP address

you wish to reserve and in the "Unique Identifier" box enter the hardware address of the client machine (got from the ipconfig /all). Do not enter the hyphens, e.g.006097A42086Also enter a name for the machine (and a comment if you wish) and click Add

221. Click close when you have added all the reservations

What registry settings control the DHCP log in Windows 2000?

A. DHCP has always had auditing abilities for DHCP however these abilities have been expanded in 2000 to reduce problems CAUSED by the log files. These improvements will stop log files filling to take up whole partitions and cause system problems.The following keys are all located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\ParametersValue Name Type Description

DhcpLogFilePath REG_SZThe partition and directory for the audit logs to be written to. Make sure you write the entire path

DhcpLogMinSpaceOnDisk

REG_DWORD

If free space falls below this number (in megabytes) audit logging is stopped

DhcpLogDiskSpaceCheckInterval

REG_DWORD

Number of times the audit log is written to before checking for free disk space

DhcpLogFileMaxSize

REG_DWORD

Maximum size in megabytes the logs can grow to. By default it is 7.

How do I authorize a DHCP server in Windows 2000?

A. Any user running Windows 2000 server could install the DHCP server service causing potential problems and so Windows 2000 adds the concept of authorizing the servers with the Active Directory before they can service client requests. If the server is not authorized in the Active Directory then the DHCP service will not be started.To Authorize a server perform the following:

222. Logon as a member of the Enterprise Administrators group 223. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools -

DHCP) 224. Select the DHCP root, right click and select 'Browse authorized servers' 225. A list of authorized DHCP servers will be displayed. Click Add 226. Enter the name or IP address of the DHCP server and click OK. 227. Click Close

Page 128: Interview Questions Dump

The red arrow Click here to view image over the DHCP server should now change to a

green one if you select refresh (it may take a few minutes).

How do I create a DHCP scope in Windows 2000?

A. A DHCP scope is a range of addresses that can be assigned to clients and can also optionally provide information about DNS servers, WINS etc.DHCP scopes are configured using the DHCP MMC snap-in as follows:

228. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools - DHCP)

229. Right click on the server and select New - Scope from the context menu 230. The scope creation wizard will be started, click Next 231. Enter a name and comment for the scope. Click Next 232. Enter the address range to use, for example from 200.200.200.1 to

200.200.200.15 (remember the host part cannot be 0). Also enter the subnet mask as either the number of bits used or the actual mask, e.g. 24 is the same as 255.255.255.0. Click NextClick here to view image

233. You can specify addresses to be excluded either by range, e.g. 200.200.200.5 to 200.200.200.7 and click Add, or just enter a Start address and click Add, e.g. 200.200.200.12 to exclude a single address. Click Next

234. You can now configure the lease time for the address. Setting too large will mean you will lose the use of addresses if the client machine is inactive for long periods of time, too short and you will generate unnecessary traffic renewing the address. The default 8 days is fine. Click Next

235. The wizard gives the option to configure the most common DHCP options. Select Yes and click Next

236. Enter the address of the gateway, and click Add. You can enter several. Click Next when all are entered.

Page 129: Interview Questions Dump

237. Enter the DNS domain, e.g. savilltech.com and the DNS server addresses. Click Next

238. Enter the WINS server addresses and click Add. Click Next 239. You will then be asked if you wish to activate the scope. Select your

answer and click Next 240. Click Finish to the wizard

The new scope will now be listed and the status as either Active or Inactive.If you selected to not activate the scope it can be manually activated by right clicking on the scope, select 'All Tasks' and select Activate. The activation is immediate. Likewise

you can deactivate by selecting deactivate

How do I change the DHCP address lease time in Windows 2000?

A. To modify the DHCP lease duration from the normal 8 days perform the following:241. Start the DHCP MMC snap-in (Start - Programs - Administrative Tools -

DHCP) 242. Expand the server 243. Right click the scope whose lease time you wish to change and select

Properties 244. Select the General tab 245. At the bottom of the window you can select lease duration either

Unlimited or a finite time. 246. Click Apply then OK

Page 130: Interview Questions Dump

My Windows 2000 DHCP client has an IP address not in any scopes, how?

A. Error! Hyperlink reference not valid. have tried to make Windows 2000 as easy to setup on a small network as possible and by default and machines installed are setup to use DHCP. On a very small network you may not have a DHCP server and rather than the machines failing to initialize TCP/IP Microsoft has added code so that the machines will use an address not in use on the local network in the class B address range 169.254.x.x. This IP address range is reserved for internal use only and so should not clash with any "real" IP addresses on your network. The MacOS uses the same address range for its DHCP clients when a DHCP server cannot be contacted as does Windows 98 Second Edition.This DHCP address allocation uses conflict detection via a NetBIOS naming Error! Hyperlink reference not valid. over DHCP so each machine gets an IP address from the 169.254.x.x range which is not in use. The actual address initially chosed in random.If any of your machines have a 169.254.x.x address it just means they could not contact a DHCP server so check your network connectivity.This automatic IP addressing is known as Automatic Private IP Addressing (APIPA).

Page 131: Interview Questions Dump

DFS FAQs

Q. Where is fault-tolerant (i.e., domain-based) Dfs information stored?

A. Unlike standalone Dfs roots and namespaces, which store their information in the registry, domain-based Dfs namespaces store their information in Active Directory (AD). The exact location in AD is the DFS-Configuration object--yes, it's one object--which is why any change to the Dfs structure causes the entire Dfs namespace to be replicated to all domain controllers (DCs) in the domain AD partition's System container. You can view this object by using a tool such as ADSI Edit.

Q. How can I ensure that my mobile Dfs clients access link targets from an updated link-target list?

A. When a client accesses a link in a Dfs hierarchy, the client obtains a list of link targets sorted by site location (i.e., link targets in the client's local site are listed first). The client then attempts to access the first link target on the list and, if it's successful, uses that link target until one of the following things happens:

The computer is restarted. The client cache is cleared. The Time To Live (TTL) on the referral expires.

If the client continues to access a link target, the TTL for the referral continues to be reset, which means the client never checks back with the Dfs server for an updated link target list.Usually, if a client moves from one location to another, the user restarts the computer. Doing so causes the client to requery the Dfs server for the list of referrals to link targets. This list is reordered according to the client's new site location, thereby letting the client use a link target in its new site. However, if the user puts the client computer into hibernation instead of restarting it, the link-target list isn't updated. The client laptop continues to use its referral cache to access data, so the TTL never expires; thus, the client can never use a more local version of the data. It's important that mobile users shut down their laptops when they change locations so that Dfs can function correctly.

Q. How do I enable the Dfs restricted same-site target selection option?

A. To enable the restricted same-site target selection option, you need to use the Dfsutil tool on each root server. First, run dfsutil.exe to obtain a list of roots in the domain. For example, to obtain a list of the roots in the domain demo.test, you'd enter the commanddfsutil /domain:demo.test /view

After you've determined the root name, you enable same-site Dfs target selection by running the Dfsutil command with the /insite switch. The command you use should look similar to this:

Page 132: Interview Questions Dump

dfsutil /root:\\demo.test\shared /insite /enable

Here, the Dfs root is \\demo.test\shared. To check whether same-site Dfs target selection was enabled successfully, run the Dfsutil command again:dfsutil /root:\\demo.test\shared /insite /display

This command should display the message "Insite Referrals ENABLED."To disable same-site Dfs target selection, run the second command again, but use the /disable switch instead of the /enable switch. You must restart the Dfs service on each Dfs root server to effect this change. Be aware that for links that point to another Dfs domain-based namespace, the Dfsutil command ignores the /insite setting so that clients can access links outside of their local site.

Q. What are the Dfs target-selection methods in Windows Server 2003? A. Windows 2003 provides three options for directing Dfs clients to targets for a link:

Default target selection: This is the default method, which randomly selects a Dfs target in the requesting computer's local site from the available Dfs targets for the link. If no local targets exist in the requesting site, the target-selection process randomly chooses a target from any site in the forest, regardless of its physical proximity to the requesting computer.

The Windows 2003 site-identification process offers improvements over Windows 2000 Server Dfs site identification. In Win2K Server Dfs, the target-selection process obtains the link-target site by querying the link-target server. However, older OSs such as Windows NT Server 4.0 don't know this information, so the target-selection process in Win2K Server can't identify a site if it includes targets that are NT 4.0 or earlier systems. In Windows 2003, the Dfs server uses the IP address of the target links to determine their location relative to the requesting client, then points the client to a local link target. This method lets the target-selection process recognize older systems (by their IP address) and include them as potential link targets.

Restricted same-site target selection: This option, which also exists in Win2K Server, lets an administrator set Dfs so that clients are never directed to a Dfs target outside of their local site. This restriction solves the problem of clients being directed to targets that are physically far from the client, which would require large amounts of bandwidth, but also means that if the target-selection process can't find a local target for a link, the client can't access the data.

Least-expensive target selection: This is a new method in Windows 2003. You can enable this method as long as the domain controller (DC) that's acting as the Intersite Topology Generator (ISTG) for each site containing Dfs servers is running Windows 2003. When no link targets are available in the local site, this method finds link targets that are "closest" in terms of site costs (i.e., the most efficient path to a target) instead of randomly choosing a target from anywhere in the enterprise. This method is far more bandwidth-efficient than the Default Target Selection method.

Q. How can I check the size of a Dfs namespace?

Page 133: Interview Questions Dump

A. You use the Dfsutil command and specify the /view switch to display the current size of a Dfs namespace, for exampledfsutil /root:\\demo.test\shared /view

where \\demo.test\shared is the root name. After you execute the command, you'll see messages on screen similar to these:Domain Root with 2 Links[Blob Size: 922 bytes]

You can estimate the size of a Dfs namespace by using the following values as guides: Root: approximately 300 bytes Each root target: approximately 150 bytes Each link in the root: approximately 320 bytes Each link target: approximately 120 bytes

Of course, comments will increase Dfs namespace size, so if disk space is a problem, try to keep comments as short as possible.

Q. What's the maximum size of a Dfs namespace?

A. An Active Directory (AD)-integrated Dfs namespace has a maximum size of 5MB, which is space enough for approximately 5000 links. A standalone Dfs namespace has a supported limit of 50,000 links.

Q. How many Dfs roots can a server that runs Windows Server 2003 or Windows 2000 Server hold?

A. There are two types of Dfs roots: standalone roots and Active Directory-integrated roots. Both Windows 2003- and Win2K Server-based Active Directory (AD) solutions can hold multiple Active Directory-integrated Dfs roots, meaning that AD can hold more than one root regardless of the server version. However, each root must have one or more targeted servers to "present" the root on behalf of the domain--a requirement that creates some limitations.All versions of Win2K Server can host only one root per server. Thus, if you have multiple roots in Win2K AD, you need multiple Win2K Server Dfs servers, each of which presents one of the roots. Windows Server 2003, Standard Edition is also limited to one root. However, Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition can host multiple Dfs roots with no set limit.

How does the site-costing feature differ between Windows Server 2003 Dfs and Windows 2000 Dfs?

A. To begin, let's define site costing. A client that accesses a DFS namespace begins by connecting DFS root targets and the client site's own link targets. If all the client site targets are unavailable, the client attempts to randomly connect to the rest of the DFS root targets. Giving preference to the client site's link targets is part of a process called site costing and it exists in Windows 2003 Dfs and Win2K Dfs. This functionality is always enabled.

Page 134: Interview Questions Dump

Microsoft added to Windows 2003 Dfs a new feature called closest site selection that's very similar to site costing. With closest site selection mode enabled, a client that accesses a DFS namespace begins by trying to connect DFS root targets and the client site's own link targets. However, if all client site targets are unavailable, the client attempts to randomly connect to targets in the next closest site, and so on. For closest site selection to work on link targets, Intersite Topology Generator (ISTG) must be running on Windows 2003, and for closest site selection to work on link and root targets, all domain controllers (DCs) must be running Windows 2003. To enable closest site selection in Windows 2003, you must use the version of the Dfsutil.exe command-line tool that will ship with Windows 2003. To enable closest site selection, typeDfsutil /Root:\\<DfsServerName>\<DfsRootName> /SiteCosting /Enable

To enable closest site selection for SYSVOL, you must create a registry key on all DCs. To create the key, perform the following steps:

247. Start a registry editor (e.g., regedit.exe). 248. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Services\Dfs\Parameters registry subkey. 249. From the Edit menu, select New, DWORD Value. 250. Enter the name SiteCostedReferrals, then press Enter. 251. Double-click the new value, set it to 1 to enable closest site selection, then

click OK. 252. Close the registry editor. 253. Reboot the machine for the change to take effect.

If you move a Win2K DFS server to a new site, the Win2K server won't automatically refresh its site-related information. You can prevent this problem by removing the DFS server from the original site as a root target, then adding it to the new site as a root target. Windows 2003 can migrate from one site to another without experiencing the same problem because the OS can discover site information dynamically. Thanks to reader Atul for providing this information.

What is Distributed File System?

A. Distributed File System (or Dfs) is a new tool for NT server that was not completed in time for inclusion as part of NT 4.0, but is now available for download. It basically allows Administrators to simulate a single server share environment that actually exists over several servers, basically a link to a share on another server that looks like a subdirectory of the main server.This allows a single view for all of the shares on your network, which could then simplify your backup procedures as you would just backup the root share, and Dfs would take care of actually gathering all the information from the other servers across the network.You do not have to have a single tree (Dfs directory structures are called trees), but rather could have a separate tree for different purposes, i.e. one for each department, but each tree could have exactly the same structure (sales, info. etc).How do I create a new folder as part of the Dfs?

Page 135: Interview Questions Dump

A. Once Dfs is installed a new application, the Dfs Administrator, is created in the Administrative Tools folder. This app should be used to manage Dfs. To add a new area as part of the Dfs tree follow the procedures below:

254. Start the Dfs Administrator application (Start - Programs - Administrative Tools - Dfs Administrator)

255. Select "Add to Dfs" from the Dfs menu 256. Enter the name of folder you want an existing share to be known as 257. Next select what it should point to, you can either type the path, or use

Browse. 258. Click Add 259. Close the Dfs Administrator

How do I create a Dfs root volume in Windows 2000?

A. Windows 2000 currently supports one Dfs root per server however this will be expanded in future versions of the operating system/service packs.The Distributed File System has its own DFS Error! Hyperlink reference not valid. Management Console snap-in which has a shortcut on the Administrative Tools folder.To create a new Dfs root perform the following:

260. Start the Distributed File System MMC snap-in (Start - Programs - Administrative Tools - Distributed File System)

261. Right click on the Distributed File System root and select ‘New Dfs Root…’Click here to view image

262. The Dfs root creation wizard will be started, click Next to the introduction screen

263. The next screen gives the option of a fault-tolerant Dfs root which uses the Active Directory to store the information or a standalone Dfs root if the Active Directory is not available or not wanted. Select ‘Create a domain Dfs root’ and click Next

Select a domain to use. A list of available domains will be displayed and the current domain will be selected as the current choice. Click Next. This screen is not displayed if you are not creating a fault-tolerant Dfs root.

264. You will need to select a server to host the Dfs root (a domain member if fault tolerant) and must be running the Dfs service. The current server will be selected but can be changed by typing a domain name or click Browse. Click Next

265. The next stage is to select a share to act as the Dfs root. A list of existing shares will be displayed or you can select to create a new share by entering a

Page 136: Interview Questions Dump

share name and location. Click Next

266. Each Dfs root requires a unique name and will, by default, be the name of the share although you can change this. You can also select to add the new Dfs root to the current console. Click Next

267. A summary screen will be displayed showing the domain, server, share and Dfs root name. Click Finish to create the Dfs root

268. Once complete a success message will be displayed. Click OK

How can I add a replica Dfs root volume in Windows 2000?

A. If your Dfs root was created as a fault-tolerant Dfs root you may add other Dfs servers as part of the Dfs root replica set.To add a new Dfs root replica member perform the following:

269. Start the Distributed File System MMC snap-in (Start - Programs - Administrative Tools - Distributed File System)

270. Right click on the root you wish to add a replica to and select ‘New Root Replica’

271. You will be asked for a server that will host a copy of the Dfs root. Click Next

272. As when creating the original you need to either select an existing share or create a new folder and share. Click Finish

273. Click OK to the success confirmation These root replicas will all contain the Dfs root information by utilitizing and replicating via the Active Directory. You can actually see the Dfs information using the Active Directory Users and Computers snap-in, select Advanced Features view, System, Dfs.

How can I add a child node to Dfs in Windows 2000?

A. Once your Dfs root is created the next step is to populate with child nodes/leafs which actually link to information.To add a new Dfs child node or Dfs link as its now called perform the following:

274. Start the Distributed File System MMC snap-in (Start - Programs - Administrative Tools - Distributed File System)

275. Right click on the root you wish to add a replica to and select ‘New Dfs Link’

276. You will need to enter a location and name for the child node, a UNC for the destination and a comment. You can also select the amount of time clients cache the request.Click here to view image

277. Click OK Any subdirectories of the child leaf will also be published to the Dfs with the parent directory, for example if a share, ntfaq, was added as a child node to Dfs, any subdirectories of that share would be viewable on the Dfs tree as children of the documents Dfs entry.

Page 137: Interview Questions Dump

How can I add a replica child node to Dfs in Windows 2000?

A. The Windows 2000 version of Dfs allows child replica sets to be created in which a single Dfs leaf points to multiple shares on different servers the File Replication Service will keep the contents of all shares in sync with each other. This allows fault tolerance AND load balancing.Members of a node replica set must:

278. All be members of the domain 279. Use NTFS 5.0 280. Must be on different servers. You cannot replicate between shares on the

same server. To add a new Dfs child replica member perform the following:

48. Ensure an up-to-date copy of the resource to which a new replica member is to be added is placed in the new share which will join the set

49. Start the Distributed File System MMC snap-in (Start - Programs - Administrative Tools - Distributed File System)

50. Right click on the child node you wish to add a replica to and select ‘New Replica’

51. You will need to enter the UNC of the new share and you have the option for- Manual replication- Automatic replication’Manual replication’ is useful if the contents are read-only documents which do not often change. Joint replication will replicate the contents of the shares with all members in the replica set. Click OK

52. The replication set topology dialog will be shown. Check replication has been enabled and click OKClick here to view image

Multi-master replication is used except on the first replication path where the contents of the Primary server is copied to the other members. Any content currently in the other shares is moved to a NtFrs-PreExisting subdirectory (but a checksum is performed and if the files match with the primary servers share they are moved back into the main directory to save network bandwidth in copying them from the Primary server).Replication is every 15 minutes by default.

Group policy FAQs

Under which user accounts do the various Group Policy scripts run?

A. Group Policy supports four main types of scripts: computer startup, computer shutdown, user logon, and user logoff. The computer startup and shutdown scripts execute under the local system account; user logon and logoff scripts run as the current user account.

1. Explain hidden shares. Hidden or administrative shares are share names with a dollar sign ($) appended to their names. Administrative shares are usually created

Page 138: Interview Questions Dump

automatically for the root of each drive letter. They do not display in the network browse list.

2. How do the permissions work in Windows 2000? What permissions does folder inherit from the parent? When you combine NTFS permissions based on users and their group memberships, the least restrictive permissions take precedence. However, explicit Deny entries always override Allow entries.

3. Why can’t I encrypt a compressed file on Windows 2000? You can either compress it or encrypt it, but not both.

4. If I rename an account, what must I do to make sure the renamed account has the same permissions as the original one? Nothing, it’s all maintained automatically.

5. What’s the most powerful group on a Windows system? Administrators. 6. What are the accessibility features in Windows 2000? StickyKeys, FilterKeys

Narrator, Magnifier, and On-Screen Keyboard. 7. Why can’t I get to the Fax Service Management console? You can only see it

if a fax had been installed. 8. What do I need to ensure before deploying an application via a Group

Policy? Make sure it’s either an MSI file, or contains a ZAP file for Group Policy.

9. How do you configure mandatory profiles? Rename ntuser.dat to ntuser.man 10. I can’t get multiple displays to work in Windows 2000. Multiple displays have

to use peripheral connection interface (PCI) or Accelerated Graphics Port (AGP) port devices to work properly with Windows 2000.

11. What’s a maximum number of processors Win2k supports? 2 12. I had some NTFS volumes under my Windows NT installation. What

happened to NTFS after Win 2k installation? It got upgraded to NTFS 5. 13. How do you convert a drive from FAT/FAT32 to NTFS from the command

line? convert c: /fs:ntfs 14. Explain APIPA. Auto Private IP Addressing (APIPA) takes effect on Windows

2000 Professional computers if no DHCP server can be contacted. APIPA assigns the computer an IP address within the range of 169.254.0.0 through 169.254.255.254 with a subnet mask of 255.255.0.0.

15. How does Internet Connection Sharing work on Windows 2000? Internet Connection Sharing (ICS) uses the DHCP Allocator service to assign dynamic IP addresses to clients on the LAN within the range of 192.168.0.2 through 192.168.0.254. In addition, the DNS Proxy service becomes enabled when you implement ICS.

1. Explain hidden shares. Hidden or administrative shares are share names with a dollar sign ($) appended to their names. Administrative shares are usually created automatically for the root of each drive letter. They do not display in the network browse list.

2. How do the permissions work in Windows 2000? What permissions does folder inherit from the parent? When you combine NTFS permissions based on users and their group memberships, the least restrictive permissions take precedence. However, explicit Deny entries always override Allow entries.

Page 139: Interview Questions Dump

3. Why can’t I encrypt a compressed file on Windows 2000? You can either compress it or encrypt it, but not both.

4. If I rename an account, what must I do to make sure the renamed account has the same permissions as the original one? Nothing, it’s all maintained automatically.

5. What’s the most powerful group on a Windows system? Administrators. 6. What are the accessibility features in Windows 2000? StickyKeys, FilterKeys

Narrator, Magnifier, and On-Screen Keyboard. 7. Why can’t I get to the Fax Service Management console? You can only see it

if a fax had been installed. 8. What do I need to ensure before deploying an application via a Group

Policy? Make sure it’s either an MSI file, or contains a ZAP file for Group Policy.

9. How do you configure mandatory profiles? Rename ntuser.dat to ntuser.man 10. I can’t get multiple displays to work in Windows 2000. Multiple displays have

to use peripheral connection interface (PCI) or Accelerated Graphics Port (AGP) port devices to work properly with Windows 2000.

11. What’s a maximum number of processors Win2k supports? 2 12. I had some NTFS volumes under my Windows NT installation. What

happened to NTFS after Win 2k installation? It got upgraded to NTFS 5. 13. How do you convert a drive from FAT/FAT32 to NTFS from the command

line? convert c: /fs:ntfs 14. Explain APIPA. Auto Private IP Addressing (APIPA) takes effect on Windows

2000 Professional computers if no DHCP server can be contacted. APIPA assigns the computer an IP address within the range of 169.254.0.0 through 169.254.255.254 with a subnet mask of 255.255.0.0.

15. How does Internet Connection Sharing work on Windows 2000? Internet Connection Sharing (ICS) uses the DHCP Allocator service to assign dynamic IP addresses to clients on the LAN within the range of 192.168.0.2 through 192.168.0.254. In addition, the DNS Proxy service becomes enabled when you implement ICS.

1. Explain hidden shares. Hidden or administrative shares are share names with a dollar sign ($) appended to their names. Administrative shares are usually created automatically for the root of each drive letter. They do not display in the network browse list.

2. How do the permissions work in Windows 2000? What permissions does folder inherit from the parent? When you combine NTFS permissions based on users and their group memberships, the least restrictive permissions take precedence. However, explicit Deny entries always override Allow entries.

3. Why can’t I encrypt a compressed file on Windows 2000? You can either compress it or encrypt it, but not both.

4. If I rename an account, what must I do to make sure the renamed account has the same permissions as the original one? Nothing, it’s all maintained automatically.

5. What’s the most powerful group on a Windows system? Administrators.

Page 140: Interview Questions Dump

6. What are the accessibility features in Windows 2000? StickyKeys, FilterKeys Narrator, Magnifier, and On-Screen Keyboard.

7. Why can’t I get to the Fax Service Management console? You can only see it if a fax had been installed.

8. What do I need to ensure before deploying an application via a Group Policy? Make sure it’s either an MSI file, or contains a ZAP file for Group Policy.

9. How do you configure mandatory profiles? Rename ntuser.dat to ntuser.man 10. I can’t get multiple displays to work in Windows 2000. Multiple displays have

to use peripheral connection interface (PCI) or Accelerated Graphics Port (AGP) port devices to work properly with Windows 2000.

11. What’s a maximum number of processors Win2k supports? 2 12. I had some NTFS volumes under my Windows NT installation. What

happened to NTFS after Win 2k installation? It got upgraded to NTFS 5. 13. How do you convert a drive from FAT/FAT32 to NTFS from the command

line? convert c: /fs:ntfs 14. Explain APIPA. Auto Private IP Addressing (APIPA) takes effect on Windows

2000 Professional computers if no DHCP server can be contacted. APIPA assigns the computer an IP address within the range of 169.254.0.0 through 169.254.255.254 with a subnet mask of 255.255.0.0.

15. How does Internet Connection Sharing work on Windows 2000? Internet Connection Sharing (ICS) uses the DHCP Allocator service to assign dynamic IP addresses to clients on the LAN within the range of 192.168.0.2 through 192.168.0.254. In addition, the DNS Proxy service becomes enabled when you implement ICS.

ACTIVE DIRECTORY ADMINISTRATION TIPSWhere does your client's security policy actually come from?Gary Olsen07.18.2005Rating: -4.15- (out of 5) Did you know that it is possible for your clients to get domain-enforced security settings that are completely different from what you have defined in your domain policy?

The application of Group Policy is, for the most part, pretty straight forward. Computer settings apply to computers, and user settings apply to users, right? Well, actually, clients do not get their account security policy directly from the domain policy; it comes from the domain controller's local policy. I've found few administrators who understand this principle, yet it is crucial in the design of a company's security policy and for troubleshooting security issues such as password requirements and account lockout.

Let's see how it works.

BasicsThere are a few basic principles we need to remember.

Page 141: Interview Questions Dump

1. Account security settings are only applied from policy at the domain level. Microsoft recommends you put these security settings in the default domain policy. It is possible to put account security settings in multiple policies at the domain level, and they will be processed according to normal Group Policy Object (GPO) priority using the "last writer wins" rule. However, having conflicting settings in multiple policies doesn't make sense and creates problems when troubleshooting. It is therefore a good idea to apply security just to a single GPO whether that is the default domain policy or a special purpose GPO, called something like "Domain Security Policy."

2. It is possible to define security in GPOs applied to organizational units (OUs), but they will only apply to the local security policy of clients that are members of the domain. When a user logs in to the domain, he or she will get the security settings from the domain policy -- not the local policy (see #3).

3. Domain controllers provide security settings to domain users at logon time. This is a critical (and confusing) concept. The user's machine doesn't pull the security settings from the GPO at startup as it does for other machine settings. The client gets the security settings when the user is validated.

4. The security settings that domain controllers apply to clients upon a successful user logon are those that are stored in the DC's local secedit.sdb security database.

5. The DC gets the Account Security settings from the domain policy and applies them to its local .sdb. Note that this applies only to the account security settings, not to any other policy setting.

6. DCs replicate their local .sdb with each other. (Honest!)

What does all this mean?

The easiest way to demonstrate this is to point out what happens if you choose to block inheritance at the Domain Controllers OU, which some organizations do. If you block inheritance, your Account Policy settings will not get to the DC's secedit.sdb (see #1 and #5 above) and, thus, will not be applied to the client (see #3 above). For example, suppose you had defined a password length of 8 characters in the default domain policy prior to blocking inheritance -- so the DCs have that value defined in their local secedit.sdb. Then you set the Block Inheritance option at the Domain Controllers OU. Later you have a corporate mandate to change the password minimum length to 10. Here's what will happen if you set the Block Inheritance option on the Domain Controllers OU as just described: First, log on to a client with a domain account and reset the password to an 8-character password. It works, but it shouldn't because the policy says 10 -- right? Run GPresult/v (assuming the client is XP) and the password length will be 10. Table 1 shows this graphically, assuming the user logged on with a domain account, along with other Account Policy settings.

SettingDomain policy value

DC secedit.sdb value

Local policy setting

Effective setting for the user

Password length 10 8 10 8

Password history

24 5 24 5

Table 1. These are the effective settings when users log on with a domain account when Block Inheritance has been enabled on the Domain Controllers OU. Note: In Windows 2000 Pro, the local security policy GUI had a column called "Effective Settings." This is not shown in XP. The term "Effective

Page 142: Interview Questions Dump

Settings" used here refers to the actual settings that will affect the user, depending on whether the person logs in as a local user or a domain user. From this table, you can see that if the user logs on with a domain account, he or she will get the policy from the DC that is stored in the DC's secedit.sdb. Table 2 shows what users experience if they log on to a local account.

SettingDomain policy value

DC secedit.sdb value

Local policy setting

Effective setting for the user

Password length 10 8 10 10

Password history

24 5 24 24

Table 2. These are the effective settings when users log on with a local account when Block Inheritance has been enabled on the Domain Controllers OU. You can see that this is very confusing. For all intents and purposes it appears that the client gets the domain policy values but the effective setting is different. When logged into a local user account, the user gets the local security policy, which is populated with the domain policy settings imposed on the client. However, when logged into the domain account, the user gets the settings that the DC has in its secedit.sdb. The DC's secedit.sdb has the last settings it received from the domain policy before the Block Inheritance option was enabled. When Block Inheritance is enabled, the new settings -- defined in the domain policy -- cannot be populated to the DCs. Thus, when the client contacts the DC, it gets the settings the DC knows about, which are different from what the actual policy specifies. Why do it?So, if blocking inheritance at the Domain Controllers OU causes such mayhem, why do it? Many companies deploy a number of GPOs at the domain level for such things as desktop lockdown. Obviously, you don't' want to apply lockdown policies to DCs. Enabling Block Inheritance at the Domain Controllers OU prevents miscellaneous settings from applying to domain controllers. There are better designs that would prevent this, such as putting the lockdown policies in OUs but, in some cases, Block Inheritance is a good option. How to make it workYou have to block inheritance on the Domain Controllers OU, but that messes up the security policy. So, how do we make it all work together? Here are your options:

Set the No Override option on the GPO where the security settings are defined. This will force the account settings to the Domain Controllers OU in spite of the Block Inheritance setting.OR

On a DC, define the local security settings so the account policies are what you want for the domain. It seems that the DCs will replicate this among themselves. I don't know if it is safe to assume this always happens, so I always check the other DC's secedit.sdb to make sure the change is made.OR

Page 143: Interview Questions Dump

Use security filtering so lockdown policies don't apply to DCs.

For my money, setting the No Override option is easiest, but remember that it will also enforce other policy settings defined in that GPO. Therefore, I would recommend the following:

Define a single-purpose GPO called Account Security Policy. Configure the Account Security settings (Password, Account Lockout, Kerberos) as desired. Enable the No Override option on the Account Security Policy GPO.

What about Kerberos settings?Just as the password length was set (from an actual client case I worked on), the same principle applies to all Account Policy settings -- Password, Account Lockout and Kerberos. For instance, in another case the administrator had somehow set the Kerberos "Maximum Tolerance for Computer Clock Synchronization" setting to "Not Defined" (default is 5 minutes), which applied it to the DC. Then they blocked inheritance on the Domain Controllers OU. That setting defines the time skew allowed between clients for Kerberos to successfully authenticate (the default being 5 minutes). I don't know why they set it to "Not Defined." When set to Not Defined, the skew is zero (0), thus authentication would always fail because the clocks between the client and DC would never perfectly match. In addition to failed client logons, replication failed as well. The company chose to modify the DC's secedit.sdb and set the time skew to five minutes rather than setting No Override on the domain security policy, and it fixed the problem. Note that Kerberos settings can only be defined at the domain level. Look in the Default Domain Controller Policy, and you won't see the settings. ConclusionIf you never block inheritance on the Domain Controllers OU, you won't ever see this problem. Nevertheless, it is good to understand this situation so you'll know how the security policy gets applied and are ready for such a situation. If you are ever presented with an edict from "up above" to block inheritance on this OU, you will be prepared to explain the ramifications rather than calling support when users complain that they can't log on.

Page 144: Interview Questions Dump

Questions prepared by Laxman

1. What are different types of fiber connectors and how they are useful.

ConnectorInsertion

LossRepeatability Fiber Type Applications

FC

0.50-1.00 dB0.20 dB SM, MM

Datacom, Telecommunications

FDDI

0.20-0.70 dB 0.20 dB SM, MM Fiber Optic Network

LC

0.15 db (SM)0.10 dB (MM)

0.2 dB SM, MMHigh Density

Interconnection

MT Array

0.30-1.00 dB 0.25 dB SM, MMHigh Density

Interconnection

SC

0.20-0.45 dB 0.10 dB SM, MM Datacom

SC Duplex

0.20-0.45 dB 0.10 dB SM, MM Datacom

ST

Typ. 0.40 dB (SM)

Typ. 0.50 dB (MM)

Typ. 0.40 dB (SM)

Typ. 0.20 dB (MM)

SM, MMInter-/Intra-Building,

Security, Navy

Page 145: Interview Questions Dump

2. What is the difference between signle mode and multimode fiber .( it is not physical difference you need to  justify your answer in terms of signal passing and transievers)

A. Multimode fiber has a relatively large light carrying core, usually 62.5 microns or larger in diameter. It is usually used for short distance transmissions with LED based fiber optic equipment. Single-mode fiber has a small light carrying core of 8 to 10 microns in diameter. It is normally used for long distance transmissions with laser diode based fiber optic transmission equipment

What is the maximum distance fiber optic transmitters can operate at?

It depends on which LuxLink™ model you purchase. Normal transmission distances can vary from a fraction of a mile to 40 miles (60 Kilometers) or more. The maximum transmission distance depends on output optical power of the transmitter, the optical wavelength utilized, the quality of the fiber optic cable and the sensitivity of the optical receiver. In general single-mode based systems operate over longer distances than multimode systems. The approximate transmission distances for LuxLink™ systems are indicated in the table below.

-No. Wavelength Fiber Type ConnectorTransmission Distance covered**

-1 850 nm multimode ST up to   2 miles (3 Km)

-3 1310 nm multimode ST up to   6 miles (10 Km)

-7 1310 nm single-mode FCPC up to 20 miles (30 Km)

-8* 1310 nm single-mode ST up to 20 miles (30 Km)

-9 1550 nm single-mode FCPC up to 40 miles (60 Km)

3. What is the technical difference between cat5, cat5 e and cat 6 (not length and capacity ) it should be in terms of frequency range it operates and attenuation etc..)

Category 5, 5 E, 6 and 7 Performance Specification Chart

Parameter

Category 5and Class D

with additionalrequirements TSB95

and FDAM 2

Category 5E('568-A-5)

Category 6Class E

(Performance at250 MHz shownin parentheses)

ProposedCategory 7

Class F(Performance at600 MHz shownin parentheses)

Specified frequency range 1-100 MHz 1-100 MHz 1-250 MHz 1-600 MHz

Attenuation 24 dB 24 dB 21.7 dB(36 dB)

20.8 dB(54.1 dB)

NEXT 27.1 dB 30.1 dB 39.9 dB 62.1 dB

Page 146: Interview Questions Dump

(33.1 dB) (51 dB)

Power-sum NEXT N/A* 27.1 dB 37.1 dB(30.2 dB)

59.1 dB(48 dB)

ACR 3.1 dB 6.1 dB 18.2 dB(-2.9 dB)

41.3 dB(-3.1 dB)**

Power-sum ACR N/A 3.1 dB 15.4 dB(-5.8 dB)

38.3 dB(-6.1 dB)**

ELFEXT 17 dB(new requirement)

17.4 dB 23.2 dB(15.3 dB)

ffs***

Power-sum ELFEXT 14.4 dB(new requirement)

14.4 dB 20.2 dB(12.3 dB)

ffs***

Return loss 8 dB*(new requirement)

10 dB 12 dB(8 dB)

14.1 dB(8.7 dB)

Propagation delay 548 nsec 548 nsec 548 nsec(546 nsec)

504 nsec(501 nsec)

Delay skew 50 nsec 50 nsec 50 nsec 20 nsec

Can you tell me the difference between Cat5, 5E & Cat 6?Cat 5e and Cat 6 are now here as ratified standards. Cat5 and Cat5e systems both have bandwidth capabilities of 100Mhz. However additional parameters are tested on Cat5e systems to ensure they can support transmissions up to Gigabit Ethernet using all four pairs of the cable. Traditionally network systems, with few notable exceptions, have been carried on only two of the available pairs.

Cat6 systems have a bandwidth of 200Mhz (characteristics are defined to 250Mhz). The improved performance of a Cat6 system could support Gigabit Ethernet transmission using only 2 pairs of the cable. This is likely to may make Gigabit interfaces cheaper when running on Cat6 systems although the cost of Gigabit Ethernet interfaces to run on Cat5e has already reduced considerably. 

5. Justify why three hardisks required for raid 5?RAID Concept

RAID (Redundant Array of Independent Disks) is an acronym first used in a 1988. RAID boxes provide the user a way to access multiple individual hard disks as if they were one larger disk, spreading data access out over the multiple disks, which reduces the risk of losing all data if one drive fails. This process improves disk access time.

In simpler terms, a RAID unit with eight bays, populated with 200Gb disks, can appear to a server as a single, 1.6Tb disk, or can be configured to recover data if a disk goes bad.

NAS Concept

NAS (Network Attached Storage) also provides mass data storage, but interfaces to a network utilizing an IP address and an Ethernet interface. While NAS units can utilize RAID technology, including data redundancy, they are not RAID devices. NAS units often contain an internal O/S element which allows network interaction.

Why use RAID?

Typically RAID is used in large file servers, transaction of application servers, where data

Page 147: Interview Questions Dump

accessibility is critical, and fault tolerance is required. Nowadays, RAID is also being used in desktop systems for CAD, multimedia editing and playback where higher transfer rates are needed.

RAID Levels

RAID 0: Also known as "Disk Striping", this is technically not a RAID level since it provides no fault tolerance. Data is written in blocks across multiple drives, so one drive can be writing or reading a block while the next is seeking the next block.

The advantages of striping are the higher access rate, and full utilization of the array capacity. The disadvantage is there is no fault tolerance - if one drive fails, the entire contents of the array become inaccessible.

RAID 1: Known as "Disk Mirroring" provides redundancy by writing twice - once to each drive. If one drive fails, the other contains an exact duplicate of the data and the RAID can switch to using the mirror drive with no lapse in user accessibility. The disadvantages of mirroring are no improvement in data access speed, and higher cost, since twice the number of drives is required. However, it provides the best protection of data since the array management software will simply direct all application requests to the surviving disk members when a member of disk fails.

Page 148: Interview Questions Dump

RAID 3:  RAID level 3 stripes data across multiple drives, with an additional drive dedicated to parity, for error correction/recovery.

RAID 5:  RAID level 5 is the most popular configuration, providing striping as well as parity for error recovery. In RAID 5, the parity block is distributed among the drives of array, giving a more balanced access load across the drives. The parity information is used to recovery data if one drive fails, and is the reason this method is the most popular. The disadvantage is a relatively slow write cycle (2 reads and 2 writes are required for each block written). The array capacity is N-1, with a minimum of 3 drives required.

Page 149: Interview Questions Dump

RAID 0+1:  This is stripping and mirroring combined, without parity. The advantages are fast data access (like RAID 0), and single ¡V drive fault tolerance (like RAID 1). RAID 0+1 still requires twice the number of disks (like RAID 1).

RAID Level

Common Name Description Array's Capacity Data Reliability Data Transfer Capacity

Minimum Drive Required

0 Disk striping

Data distributed across the disks in the array.  No redundant information provided.

(N)disks

Low Very High 2

1 Disk mirroring All data duplicated

1* disks

Very High High 2

3 Parallel transfer disks with parity

Data sector is subdivided and distributed across all data disk.Redundant information stored on a dedicated parity disk.

(N-1) disks Very High Highest of all listed alter-

natives3

5

Independentaccess Array without rotating parity

Data sectors are distributed as with disk stripping, redundant information is interspersed with user data.

(N-1) disks Very High Very High 3

0+1Disk-Striping + Disk-Mirroring

Combined ¡§striping and mirroring function without

(N/2) disks Very High High 4

Page 150: Interview Questions Dump

parity.  Fast data access and single drive fault tolerance.

6. How do you troubleshoot problems related to Group Policies?

7. What is the reason for using layer3 switches or high end switches as core switch’s why can't we use a distribution layer switch or access layer switch in that location.8. What is the use of Nating?9.If a network has 172.*.*.* ip and is getting connected to Internet what additional parameters need to be added at router?10. Why we could not rebuild the data if we 2 out of 3 hard disks failed in a raid 5 volume.

13. What is the time interval in which ADS will replication can we change that?

14. Why  can't we keep both global catalogue and infra structure master on the same server?The Infratructure Master should not be on the same server that acts as a Global Catalog server.The reason for this is the Global Catalog contains information about every object in the forest. When the Infrastructure Master, which is responsible for updating Active Directory information about cross domain object changes, needs information about objects not in it's domain, it contacts the Global Catalog server for this information.  If they both reside on the same server, then the Infratructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it contantly updated.  This would result in the Infrastructure Master never replicating changes to other domain controllers in it's domain.Note: In a single domain environment this is not an issue

19.types of backup and differencesPart 3: Choosing a Backup Type

When backing up your Windows XP/2000 computer with the Backup Utility, you have several options for what type of backup to perform. In fact, these are common options in nearly any backup software. Three of the choices are the most common types of backup: Normal (usually referred to as "Full"), Differential, and Incremental. Windows Backup also provides two other choices: Daily, and Copy

In order to fully understand how these backup types differ, it is necessary to know something about file "attributes." Attributes are settings, sometimes called "bits" or "flags," that each file on your system has. The concept of file attributes dates all the way back to the

Page 151: Interview Questions Dump

earliest DOS days, and attributes are still used to mark files today. There are many attributes that can be set on a file, but the most commonly used attributes are ones such as

R - marking the files as read only S - marking the file as a system/secret file H - marking the file as hidden A - marking the file as ready for archiving

These attributes can be viewed by viewing the properties of a file, or by showing the Attributes column in Windows Explorer. To show this column, simply right-click an existing column heading in an Explorer window, and choosing the Attributes heading.When a file is changed in any way - even just renamed - the "A" attribute is set, or "turned on." This indicates that the file has changed since the last time it was backed up. During a normal backup, this attribute will be "turned off." That is how this attribute is used for the other types of backup, described below:Normal BackupDuring a Normal type of backup, every file on the system is backed up, and the Archive bit is turned off. Actually, there are certain files that are not backed up, as specified in the Registry (see this Tip-of-the-Day for more information). This backup takes the longest to perform, but is the most complete type of backup, and the easiest to restore from. In order to do a full system restore, you would first install the Windows XP/2000 operating system, then restore the files from the latest Normal (full) backup.Incremental BackupDuring an Incremental type of backup, only files that have the Archive bit turned on are backed up. In other words, only files that have been changed since the last backup will be backed up. After being backed up, the Archive bit will be turned off on each file. This type of backup is usually the quickest, since the number of files that change on a system are generally a small percentage. It can be the longest backup type to restore from, however. In order to do a full system restore, you would first install the Windows XP/2000 operating system, then restore the files from each Incremental backup that was performed, in order (that's important), starting with the files from the most recent Normal backup, if one was performed. For this reason, Incremental backups are generally used only in conjunction with Normal backups.Differential BackupA Differential backup type is similar to Incremental, in that it backs up only files that have the Archive bit turned on. It differs in that after backing files up, it leaves the Archive bit alone, and does not turn it off. This means that files that have been changed will be backed up during each Differential backup until either a Normal or Incremental backup is performed to turn the Archive bit off. This backup takes the same or somewhat longer than an Incremental backup, but is much easier to

Page 152: Interview Questions Dump

restore from. In order to do a full system restore, you would first install the Windows XP/2000 operating system, then restore the files from only the most recent Differential backup. If a Normal backup was performed, you would restore the files from that backup, and then restore from the most recent Differential backup.DailyThe Daily backup type is sort of an Differential off-shoot. In this backup type, only files that were changed (have the archive bit on), during the current day are backed up, and the Archive bit is left unchanged. This backup type is generally not used as part of a recovery program, because in order to do a full system restore, you would have to have a Normal backup, and then a Daily backup from each and every day since the Normal backup.CopyA Copy type of backup is similar to a Normal backup, except that it leaves the Archive bit unchanged. This backup type can be used to back up any selected files, regardless of whether or not the Archive bit is turned on, and will leave the Archive bit the same as before the backup. This is most commonly used between Normal and Incremental backups.These different backup types can be used with a custom backup regimen or schedule to fit your time and storage capacity needs and limitations.

20. explain about FSMO roles

There are five different FSMO roles and they each play a different function in making Active Directory work:

PDC Emulator - This role is the most heavily used of all FSMO roles and has the widest range of functions. The domain controller that holds the PDC Emulator role is crucial in a mixed environment where Windows NT 4.0 BDCs are still present. This is because the PDC Emulator role emulates the functions of a Windows NT 4.0 PDC. But even if you've migrated all your Windows NT 4.0 domain controllers to Windows 2000 or Windows Server 2003, the domain controller that holds the PDC Emulator role still has a lot to do. For example, the PDC Emulator is the root time server for synchronizing the clocks of all Windows computers in your forest. It's critically important that computer clocks are synchronized across your forest because if they're out by too much then Kerberos authentication can fail and users won't be able to log on to the network. Another function of the PDC Emulator is that it is the domain controller to which all changes to Group Policy are initially made. For example, if you create a new Group Policy Object (GPO) then this is first created in the directory database and within the SYSVOL share on the PDC Emulator, and from there the GPO is replicated to all other domain controllers in the domain. Finally, all password changes and account lockout issues are handled by the PDC Emulator to ensure that password changes are replicated properly and account lockout policy is effective. So even though the PDC Emulator emulates an NT PDC (which is why this role is called PDC Emulator), it also does a whole lot of other stuff. In fact, the PDC Emulator role is the most heavily utilized FSMO role so you should make sure that the domain controller that holds this role has sufficiently beefy hardware to handle the load. Similarly, if the PDC Emulator role fails then it can potentially cause the most problems, so the hardware it runs on should be fault tolerant and reliable. Finally, every domain has its own PDC Emulator role, so if you have N domains in your forest then you will have N domain controllers with the PDC Emulator role as well.

RID Master - This is another domain-specific FSMO role, that is, every domain in your forest has exactly one domain controller holding the RID Master role. The purpose of this role is to replenish the pool of unused relative IDs (RIDs) for the domain and prevent this pool from becoming exhausted. RIDs are used up whenever you create a new security

Page 153: Interview Questions Dump

principle (user or computer account) because the SID for the new security principle is constructed by combining the domain SID with a unique RID taken from the pool. So if you run out of RIDS, you won't be able to create any new user or computer accounts, and to prevent this from happening the RID Master monitors the RID pool and generates new RIDs to replenish it when it falls beneath a certain level.

Infrastructure Master - This is another domain-specific role and its purpose is to ensure that cross-domain object references are correctly handled. For example, if you add a user from one domain to a security group from a different domain, the Infrastructure Master makes sure this is done properly. As you can guess however, if your Active Directory deployment has only a single domain, then the Infrastructure Master role does no work at all, and even in a multi-domain environment it is rarely used except when complex user administration tasks are performed, so the machine holding this role doesn't need to have much horsepower at all.

Schema Master - While the first three FSMO roles described above are domain-specific, the Schema Master role and the one following are forest-specific and are found only in the forest root domain (the first domain you create when you create a new forest). This means there is one and only one Schema Master in a forest, and the purpose of this role is to replicate schema changes to all other domain controllers in the forest. Since the schema of Active Directory is rarely changed however, the Schema Master role will rarely do any work. Typical scenarios where this role is used would be when you deploy Exchange Server onto your network, or when you upgrade domain controllers from Windows 2000 to Windows Server 2003, as these situations both involve making changes to the Active Directory schema.

Domain Naming Master - The other forest-specific FSMO role is the Domain Naming Master, and this role resides too in the forest root domain. The Domain Naming Master role processes all changes to the namespace, for example adding the child domain vancouver.mycompany.com to the forest root domain mycompany.com requires that this role be available, so you can't add a new child domain or new domain tree, check to make sure this role is running properly.

To summarize then, the Schema Master and Domain Naming Master roles are found only in the forest root domain, while the remaining roles are found in each domain of your forest. Now let's look at best practices for assigning these roles to different domain controllers in your forest or domain.

FSMO Roles Best PracticesProper placement of FSMO Roles boils down to three simple rules:

Rule One: In your forest root domain, keep your Schema Master and Domain Naming Master on the same domain controller to simplify administration of these roles, and make sure this domain controller contains a copy of the Global Catalog. This is not a hard-and-fast rule as you can move these roles to different domain controllers if you prefer, but there's no real gain in doing so and it only complicates FSMO role management to do so. If for reasons of security policy however your company decides that the Schema Master role must be fully segregated from all other roles, then go ahead and move the Domain Naming Master to a different domain controller that hosts the Global Catalog. Note though that if you've raised your forest functional level to Windows Server 2003, your Domain Naming Master role can be on a domain controller that doesn't have the Global Catalog, but in this case be sure at least to make sure this domain controller is a direct replication partner with the Schema Master machine.

Rule Two: In each domain, place the PDC Emulator and RID Master roles on the same domain controller and make sure the hardware for this machine can handle the load of these roles and any other duties it has to perform. This domain controller doesn't have to have the Global Catalog on it, and in general it's best to move these two roles to a machine that doesn't host the Global Catalog because this will help balance the load (the Global Catalog is usually heavily used).

Rule Three: In each domain, make sure that the Infrastructure Master role is not held by a domain controller that also hosts the Global Catalog, but do make sure that the Infrastructure Master is a direct replication partner of a domain controller hosting the Global Catalog that resides in the same site as the Infrastructure Master. Note however that this rule does have some exceptions, namely that the Infrastructure Master role can be held by a domain controller hosting the Global Catalog in two circumstances: when there is only one domain in your forest or when every single domain controller in your forest also hosts the Global Catalog.

Page 154: Interview Questions Dump

To summarize these three rules then and make them easy to remember:

Forest root domain - Schema Master and Domain Naming Master on the same machine, which should also host the Global Catalog.

Every domain - PDC Emulator and RID Master on the same machine, which should have beefy hardware to handle the load.

Every domain - Never place the Infrastructure Master on a machine that hosts the Global Catalog, unless your forest has only one domain or unless every domain controller in your forest hosts the Global Catalog.

If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log.

Why infrastructure master should not placed on server which contains GC

The Infratructure Master should not be on the same server that acts as a Global Catalog server.The reason for this is the Global Catalog contains information about every object in the forest. When the Infrastructure Master, which is responsible for updating Active Directory information about cross domain object changes, needs information about objects not in it's domain, it contacts the Global Catalog server for this information.  If they both reside on the same server, then the Infratructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it contantly updated.  This would result in the Infrastructure Master never replicating changes to other domain controllers in it's domain.Note: In a single domain environment this is not an issue.

21. what is protocol used in terminal server and what is that port no?A. Terminal server uses remote desktop protocol and it port no. is 3389

22.what is the ADS Port445

23.what is Kerberos Port

88

24.differences between NTLM and KerberosRFC 1510 “The Kerberos Network Authentication Service (V5)” defines an authentication process

which provides a method for verifying the identities of principals (workstation users and network

servers) on an open network. For authentication purposes, clients use Kerberos tickets, which

represent the client’s network credentials. Clients obtain the tickets from the Kerberos Key Distribution

Center (KDC), and they present these tickets when a network connection is established. Kerberos

represents the client’s identity by using the domain name, user name, and password.

The Windows 2000 security infrastructure also supports the following primary security protocols:

Windows NT LAN Manager (NTLM) authentication protocol is provided to support Windows

Page 155: Interview Questions Dump

NT version 4.0 and earlier. NTLM will continue to be supported and used for pass-through

network authentication, remote file access, and authenticated Remote Procedure Call (RPC)

connections to previous versions of Windows NT.

Distributed Password Authentication (DPA) is the shared secret authentication protocol that is used by many Internet membership organizations, such as MSN and CompuServe. This authentication protocol is part of Microsoft Commercial Internet System (MCIS) services and is specifically designed to allow users to use the same Internet membership password to connect to various Internet sites that are part of the same membership organization. The Internet content servers use the MCIS authentication service as a back end Internet service, and users can connect to multiple sites without reentering their passwords

24. what LDAP and it port

Light Weight Directory Access Protocol (LDAP) is an open network protocol standard designed to provide access to distributed directories. LDAP provides a mechanism for querying and modifying information that resides in a directory information tree (DIT). A directory information tree typically contains a broad range of information about different types of network objects including users, printers, applications, and other network resources. LDAP is described through four basic models: Information, Naming, Functional, and Security. The combination of these models introduces a nomenclature that describes entries and their attributes, and provides methods to query and manipulate their values

Ports

LDAP utilizes either a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) to

connect from the client to the DSA. This connection occurs over a socket. Table 2 below lists different

end points that provide a range of functionality.

Table 2. LDAP Connection End Points

Function Port

LDAP 389

LDAP Secure Sockets Layer (SSL) 636

Global Catalog (GC) 3268

Global Catalog Secure Sockets Layer 3269

25.Explain about Replication in inter site and Intrasite

Replication

Active Directory replication between domain controllers is managed by the system administrator on a site-by-site basis. As domain controllers are added, a replication path must be established. This is done by the Knowledge Consistency Checker (KCC), coupled with

Page 156: Interview Questions Dump

Active Directory replication components. The KCC is a dynamic process that runs on all domain controllers to create and modify the replication topology. If a domain controller fails, the KCC automatically creates new paths to the remaining domain controllers. Manual intervention with the KCC will also force a new path.The Active Directory replaces PDCs and BDCs with multimaster replication services. Each domain controller retains a copy of the entire directory for that particular domain. As changes are made in one domain controller, the originator communicates these changes to the peer domain controllers. The directory data itself is stored in the ntds.dit file.Active Directory replication uses the Remote Procedure Call (RPC) over IP to conduct replication within a site. Replication between sites can utilize either RPC or the Simple Mail Transfer Protocol (SMTP) for data transmission. The default intersite replication protocol is RPC.

Intersite and Intrasite Replication

There are distinct differences in internal and intersite domain controller replication. In theory, the network bandwidth within a site is sufficient to handle all network traffic associated with replication and other Active Directory activities. By the definition of a site, the network must be reliable and fast. A change notification process is initiated when modifications occur on a domain controller. The domain controller waits for a configurable period (by default, five minutes) before it forwards a message to its replication partners. During this interval, it continues to accept changes. Upon receiving a message, the partner domain controllers copy the modification from the original domain controller. In the event that no changes were noted during a configurable period (six hours, by default), a replication sequence ensures that all possible modifications are communicated. Replication within a site involves the transmission of uncompressed data.NOTESecurity-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).Replication between sites assumes that there are network-connectivity problems, including insufficient bandwidth, reliability, and increased cost. Therefore, the Active Directory permits the system to make decisions on the type, frequency, and timing of intersite replication. All replication objects transmitted between sites are compressed, which may reduce traffic by 10 to 25 percent, but because this is not sufficient to guarantee proper replication, the system administrator has the responsibility of scheduling intersite replication.

Replication Component Objects

Whereas the KCC represents the process elements associated with replication, the following comprise the Active Directory object components:

Connection object. Domain controllers become replication "partners" when linked by a connection object. This is represented by a one-way path between two domain controller server objects. Connection objects are created by the KCC by default. They can also be manually created by the system administrator.

NTDS settings object. The NTDS settings object is a container that is automatically created by the Active Directory. It contains all of the connection objects, and is a child of the server object.

Server object. The Active Directory represents every computer as a computer object. The domain controller is also represented by a computer object, plus a specially created server object. The server object's parent is the site object that defines its IP subnet. However, in the event that the domain controller server object was created prior to site creation, it will be necessary to manually define the IP subnet to properly assign the domain controller a site.

When it is necessary to link multiple sites, two additional objects are created to manage the replication topology.

Page 157: Interview Questions Dump

Site link. The site link object specifies a series of values (cost, interval, and schedule) that define the connection between sites. The KCC uses these values to manage replication and to modify the replication path if it detects a more efficient one. The Active Directory DEFAULTIPSITELINK is used by default until the system administrator intervenes. The cost value, ranging from 1 to 32767, is an arbitrary estimate of the actual cost of data transmission as defined bandwidth. The interval value sets the number of times replication will occur: 15 minutes to a maximum of once a week (or 10080 minutes) is the minimum; three hours is the default. The schedule interval establishes the time when replication should occur. Although replication can be at any time by default, the system administrator may want to schedule it only during off-peak network hours.

Site link bridges. The site link bridge object defines a set of links that communicate via the same protocol. By default, all site links use the same protocol, and are transitive. Moreover, they belong to a single site link bridge. No configuration is necessary to the site link bridge if the IP network is fully routed. Otherwise, manual configuration may be necessary.

Preventing Data Replication Collision

The Active Directory issues a unique identifier known as the Update Sequence Number (USN), which is given to every change made to an object. This number is incrementally changed whenever the object is modified. Each property of an object is also issued a USN. A source domain regularly communicates USN sequence changes to the peer domain controller. The latest USN is then registered in each domain controller to ensure the freshness of an object's current state. The Active Directory uses a timestamp only when changes are made at approximately the same time to the same object. At this point, in order to avoid data collisions, the change with the latest timestamp will be replicated by default. In all other cases, the Active Directory disregards the timestamping process.

27.Difference between IMAP4 and POP3

POP3 IMAP

Since email needs to be downloaded into desktop PC before being displayed, you may have the following problems for POP3 access:

You need to download all email again when using another desktop PC to check your email.

May get confused if you need to check email both in the office and

Since email is kept on server, it would gain the following benefits for IMAP access:

No need to download all email when using other desktop PC to check your email.

Easier to identify the unread email.

Page 158: Interview Questions Dump

at home.

The downloaded email may be deleted from the server depending on the setting of your email client.

All messages as well as their attachments will be downloaded into desktop PC during the 'check new email' process.

A whole message will be downloaded only when it is opened for display from its content.

Mailboxes can only be created on desktop PC. There is only one mailbox (INBOX) exists on the server.

Multiple mailboxes can be created on the desktop PC as well as on the server.

Filters can transfer incoming/outgoing messages only to local mailboxes.

Filters can transfer incoming/outgoing messages to other mailboxes no matter where the mailboxes locate (on the server or the PC).

Outgoing email is stored only locally on the desktop PC.

Outgoing email can be filtered to a mailbox on server for accessibility from other machine.

Messages are deleted on the desktop PC. Comparatively, it is inconvenient to clean up your mailbox on the server.

Messages can be deleted directly on the server to make it more convenient to clean up your mailbox on the server.

Messages may be reloaded onto desktop PC several times due to the corruption of system files.

The occurrence of reloading messages from the server to PC is much less when compared to POP3.

  

28.What is the Port Nos of SMTP.IMAP,POP3FTP 20,21TELNET 23SMTP 25DNS 53DHCP 67,68POP3 110IMAP 143LDAP 389HTTP 80

Page 159: Interview Questions Dump

KERBEROS 88NETBIOS 139/137WINS 42

29.How to find ADS Installations successful or not?

The following to be checked for verification of ADS Check SRV resources records have been created properly by examining DNSB database.These folders will exists in Domain folder_msdcs_sites_tcp_udp

2. Verify that SYSVOL structure in %systemroot%sysvol contains subfolderDomainStagingStaging AreaaSysvol

3.check the necessary shares Netlogon and sysvol are created4.verify the database ( ntds.dit) and log files ( Edb.*,Res*.log) are created

30.About ADS sites and services

31.What is Difference between DNS and WINS

Table 12.1 WINS Versus DNS

WINS DNSThe purpose is to resolve NetBIOS names to

IP addresses.

The purpose is to resolve host names to IP

addresses.

Names are flat and 15 characters long. Names are hierarchical in nature.

Name registration is dynamic and happens

automatically.

Name registration is static and has to be

done manually.

Supports incremental replication of the data,

which means that only changes in the

database are replicated between WINS

servers.

Doesn't support incremental replication of

data between DNS servers. This means the

whole database has to be replicated every

time.

Supports DHCP. Doesn't support DHCP.

Doesn't support email routing or additional

TCP/IP application services.

Supports other TCP/IP application services

such as email routing.

32.What is Use of Host File

Page 160: Interview Questions Dump

Hosts file or LMHosts file, what’s the difference?  Here is an article that might clear things up (as mud anyway).

Name Resolution for Windows NetworkingFor TCP/IP and the Internet, the globally known system name is the computer's host name, appended with a DNS domain name (for example, rhit.microsoft.com). This defaults to the computer name (NetBIOS name) defined during Windows 95 Setup. The default name can be changed in the DNS dialog box when you are configuring TCP/IP properties.Computers use IP addresses to identify each other, but users usually find it easier to work with computer names. A mechanism must be available on a TCP/IP network to resolve names to IP addresses. To ensure that both the name and the address are unique, the computer using Microsoft TCP/IP registers its name and IP address on the network during system startup. Computers running Microsoft TCP/IP on the network can use one or more methods for name resolution in TCP/IP internetworks, as summarized in this section.Broadcast name resolution.Computers running Microsoft TCP/IP can use broadcast name resolution, which is a NetBIOS-over-TCP/IP mode of operation defined in RFC 1001/1002 as b-node. This method relies on a computer making IP-level broadcasts to register its name by announcing it on the network. Each computer in the broadcast area is responsible for challenging attempts to register a duplicate name and for responding to name queries for its registered name.LMHOSTS or HOSTS files.

An LMHOSTS file specifies the NetBIOS computer name and IP address mappings; a HOSTS file specifies the DNS name and IP address. On a local computer, the HOSTS file (used by Windows Sockets applications to find TCP/IP host names) and LMHOSTS file (used by NetBIOS over TCP/IP to find NetBIOS computer names) can be used to list known IP addresses mapped with corresponding computer names. LMHOSTS is used for name resolution in Windows 95 for internetworks where WINS is not available. ·    The HOSTS file is used as a local DNS equivalent to resolve host names to IP addresses. ·    The LMHOSTS file is used as a local WINS equivalent to resolve NetBIOS computer names to IP addresses. Each of these files is also known as a host table. Sample versions of LMHOSTS (called LMHOSTS.SAM) and HOSTS files are added to the Windows directory when you install Windows 95 with TCP/IP support. These files can be edited using any ASCII editor, such as WordPad or Edit. To take advantage of HOSTS or LMHOSTS, DNS must be enabled on the computer. For information about setting up and using HOSTS and LMHOSTS files, see Appendix G, "HOSTS and LMHOSTS Files for Windows 95."

Windows Internet Name Service.Computers running Microsoft TCP/IP can use WINS if one or more Windows NT Server computers configured as WINS servers are available, containing a dynamic database for mapping computer names to IP addresses. WINS can be used in conjunction with broadcast name resolution for an internetwork, where other name resolution methods are inadequate. WINS is a NetBIOS-over-TCP/IP mode of operation defined in RFC 1001/1002 as h-node or m-node; WINS clients default to h-node. Notice that WINS is a dynamic replacement for the LMHOSTS file. For more information, see "Using WINS for Name Resolution" later in this chapter.Domain Name System name resolution.

DNS provides a way to look up name mappings when connecting a computer to

Page 161: Interview Questions Dump

foreign hosts using NetBIOS over TCP/IP or Windows Sockets applications such as FTP. DNS is a distributed database designed to relieve the traffic problems that arose with the first growth explosion on the Internet in the early 1980s. A DNS name server must be configured and available on the network. Notice that DNS replaces the functionality of the HOSTS file by providing a dynamic mapping of IP addresses to host names used by TCP/IP applications and utilities. For more information, see "Using DNS for Name Resolution" later in this chapter.Windows 95 provides support for multiple DNS servers and up to two WINS servers. Support for either service can be configured automatically from a DHCP server, manually in Windows 95 Setup, or after Setup by using the Network option in Control Panel.

Name Resolution with Host FilesFor computers located on remote subnets where WINS is not used, the HOSTS and LMHOSTS files provide mappings for names to IP addresses. This name-resolution method was used on internetworks before DNS and WINS were developed. The HOSTS file can be used as a local DNS equivalent; the LMHOSTS file can be used as a local WINS equivalent.NoteSample versions of LMHOSTS and HOSTS files are added to the Windows NT \systemroot\System32\drivers\Etc directory when you install Microsoft TCP/IP.

HOSTSMicrosoft TCP/IP can be configured to search HOSTS (the local host table file) for mappings of remote host names to IP addresses. The HOSTS file format is the same as the format for host tables in the 4.3 Berkeley Software Distribution (BSD) UNIX /etc/hosts file. For example, the entry for a computer with an address of 192.102.73.6 and a host name of mfg1.widgets.com looks like this:

192.102.73.6        mfg1.widgets.com

You can create the file by using a text editor — for example, Notepad — to create, and change the HOSTS file because it is a simple text file. (An example of the HOSTS format is provided in the file named HOSTS.sam in the Windows NT %systemroot%\System32\Drivers\Etc directory. This is only an example file; do not use this file as the primary HOSTS file.)Edit the sample HOSTS file (created when you install TCP/IP) to include remote host names and IP addresses for each computer with which you will communicate.

LMHOSTSThe LMHOSTS file is a local text file that maps IP addresses to NetBIOS computer names. It contains entries for Windows-networking computers located outside the local subnet. The LMHOSTS file is read when WINS or broadcast name resolution fails; resolved entries are stored in a local cache for later access.For example, the LMHOSTS table file entry for a computer with an address of 192.45.36.5 and a computer name of mrp2 looks like this:

192.45.36.5        mrp2

You can create the file by using a text editor — for example, Notepad — to create, and change the LMHOSTS file because it is a simple text file. (An example of the LMHOSTS format is provided in the file named LMHOSTS.sam in the Windows NT %systemroot%\System32\Drivers\Etc directory. This is only an example file; do not use this file as the primary LMHOSTS file.)Edit the sample LMHOSTS file (created when you install TCP/IP) to include remote NetBIOS names and IP addresses for each

Page 162: Interview Questions Dump

computer with which you will communicate.The LMHOSTS file is typically used for small-scale networks that do not have servers

38.What is Global Catalog.

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in an Active Directory forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

In addition to configuration and schema directory partition replicas, every domain controller in a Windows 2000 Server or Windows Server 2003 forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object.

The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.

Note

•A global catalog server can also store a full, writable replica of an application directory partition, but objects in application directory partitions are not replicated to the global catalog as partial, read-only directory partitions.

The global catalog is built and updated automatically by the Active Directory replication system. The attributes that are replicated to the global catalog are identified in the schema as the partial attribute set (PAS) and are defined by Microsoft. However, to optimize searching, you can edit the schema by adding or removing attributes that are stored in the global catalog.

Page 163: Interview Questions Dump

In Windows 2000 Server environments, any change to the PAS results in full synchronization (update of all attributes) of the global catalog. Windows Server 2003 reduces the impact of updating the global catalog by replicating only the attributes that change.

Global Catalog Dependencies and Interactions

Global catalog servers have the following dependencies and interactions with other Windows Server technologies:

•Active Directory installation. When Active Directory is installed on the first domain controller in a forest, the installation application creates that domain controller as a global catalog server.

• Active Directory replication. The global catalog is built and maintained by Active Directory replication:

•Subsequent to forest creation, when a domain controller is designated as a global catalog server, Active Directory replication automatically transfers PAS replicas to the domain controller, including the partial replica of every domain in the forest other than the local domain.

•To facilitate intersite replication of global catalog server updates, Active Directory replication selects global catalog servers as bridgehead servers whenever a global catalog server is present in a site and domains that are not present in the site exist in other sites in the forest.

•Domain Name System (DNS). Global catalog server clients depend on DNS to provide the IP address of global catalog servers. DNS is required to advertise global catalog servers for domain controller location.

•Net Logon service. Global catalog advertisement in DNS depends on the Net Logon service to perform DNS registrations. When replication of the global catalog is complete, or when a global catalog server starts, the Net Logon service publishes service (SRV) resource records in DNS that specifically advertise the domain controller as a global catalog server.

Page 164: Interview Questions Dump

•Domain controller Locator: When a global catalog server is requested (by a user or application that launches a search over port 3268, or by a domain controller that is authenticating a user logon), the domain controller Locator queries DNS for a global catalog server.

In the following diagram, global catalog interactions include tracking a global catalog server through the following interactions, which are indicated by boxes:

•Active Directory installation of a new forest: Global catalog creation occurs during Active Directory installation of the first domain controller in the forest.

•Net Logon registration: Resource records are registered in DNS to advertise the domain controller as a global catalog server.

• Active Directory replication:

•When a new domain controller (DC2) is created and an administrator designates it as a global catalog server, replication of the PAS from DC1 occurs.

•DC1 in DomainA replicates changes for DomainA to DC2, and DC2 replicates updates to data for DomainB to DC1.

• DC location: The dotted lines enclose the processes whereby two clients locate a global catalog server by querying DNS:

•A through C: (A) ClientX sends a query to the global catalog, which prompts (B) a DNS query to locate the closest global catalog server, and then (C) the client contacts the returned global catalog server DC2 to resolve the query.

•1 through 5: (1) ClientY logs on to the domain, which prompts (2) a DNS query for the closest domain controllers. (3) ClientY contacts the returned domain controller DC3 for authentication. (4) DC3 queries DNS to find the closest global catalog server and then (5) contacts the returned global catalog server DC2 to retrieve the universal groups for the user.

Interactions with Other Windows Technologies

Page 165: Interview Questions Dump

The global catalog solves the problem of how to locate domain data that is not stored on a domain controller in the domain of the client that requires the information. By using different ports for standard LDAP queries (port 389) and global catalog queries (port 3268), Active Directory effectively separates forestwide queries that require a global catalog server from local, domainwide queries that can be serviced by the domain controller in the user’s domain.

44.Explain about trees,domains.ous.sites.Domain : A domain is group of computers that share a common directory database .Every domain must have a unique name and all the resources inside the domain are managed by the domain administrator A domain can contain any no. of domain controllers inside it.

Organization Unit : It is a container used to group objects in a logical hierarchy according to the needs of the organization . OU hierarchy can be created on the basis of ; Administrative modelDepartmental structureGeographical locations

Trees :A Tree is hierarchy of domains sharing a same namespace .domains follow a parent /child relationship in tree.When a new domain is added to the root domain .the new domain become the child domain

Page 166: Interview Questions Dump

and root become the parent domain.and two way transitive trusts are created by default between all the domains of a tree.

Domain Controller : it is a windows 2000 server running active directory.

Site : A site is collection of subnets connected by a high speed link .Replication Topology is managed by creating sites.

33.Explain about browser services and its advantages34.DNS trouble Shooting and its toolsDomain Name System (DNS)You must configure DNS correctly to ensure that Active Directory will function properly. For a more in-depth treatment of DNS configuration for Active Directory, see the following Microsoft Knowledge Base article: 237675 (http://support.microsoft.com/kb/237675/EN-US/) Setting Up the Domain Name System for Active Directory Review the following configuration items to ensure that DNS is healthy and that the Active Directory DNS entries will be registered correctly: • DNS IP configuration • Active Directory DNS registration • Dynamic zone updates • DNS forwarders

DNS IP ConfigurationAn Active Directory server that is hosting DNS must have its TCP/IP settings configured properly. TCP/IP on an Active Directory DNS server must be configured to point to itself to allow the server to register with its own DNS server. To view the current IP configuration, open a command window and type ipconfig /all to display the details. You can modify the DNS configuration by following these steps: 1. Right-click My Network Places, and then click Properties. 2. Right-click Local Area Connection, and then click Properties. 3. Click Internet Protocol (TCP/IP), and then click Properties. 4. Click Advanced, and then click the DNS tab. Configure the DNS information as follows: a. Configure the DNS server addresses to point to the DNS server. This should be the computer's own IP address if it is the first server or if no dedicated DNS server will be configured. b. If the resolution of unqualified names setting is set to Append these DNS suffixes (in order), the Active Directory DNS domain name should be listed first (at the top of the list). c. Verify that the DNS Suffix for this connection setting is the same as the Active Directory domain name. d. Verify that the Register this connection's addresses in DNS check box is selected. 5. At a command prompt, type ipconfig /flushdns to purge the DNS resolver cache, and then type ipconfig /registerdns to register the DNS resource records. Start the DNS Management console. There should be a host record (an "A" record in Advanced view) for the computer name. There should also be a Start of Authority (SOA

Page 167: Interview Questions Dump

in Advanced view) record pointing to the domain controller (DC) as well as a Name Server record (NS in Advanced view). Active Directory DNS RegistrationThe Active Directory DNS records must be registering in DNS. The DNS zone can be either a standard primary or an Active Directory-integrated zone. An Active Directory-integrated zone is different from a standard primary zone in several ways. An Active Directory-integrated zone provides the following benefits: • The Windows 2000 DNS service stores zone data in Active Directory. This causes DNS replication to create multiple masters, and it allows any DNS server to accept updates for a directory service-integrated zone. Using Active Directory integration also reduces the need to maintain a separate DNS zone transfer replication topology. • Secure dynamic updates are integrated with Windows security. This allows an administrator to precisely control which computers can update which names, and it prevents unauthorized computers from obtaining existing names from DNS. Use the following steps to ensure that DNS is registering the Active Directory DNS records: 1. Start the DNS Management console. 2. Expand the zone information under the server name. 3. Expand Forward Lookup Zones, right-click the name of the Active Directory domain's DNS zone, click Properties, and then verify that Allow Dynamic Updates is set to Yes. 4. Four folders with the following names are present when DNS is correctly registering the Active Directory DNS records. These folders are labeled:_msdcs_sites_tcp_udp If these folders do not exist, DNS is not registering the Active Directory DNS records. These records are critical to Active Directory functionality and must appear within the DNS zone. You should repair the Active Directory DNS record registration. To repair the Active Directory DNS record registration: • Check for the existence of a Root Zone entry. View the Forward Lookup zones in the DNS Management console. There should be an entry for the domain. Other zone entries may exist. There should not be a dot (".") zone. If the dot (".") zone exists, delete the dot (".") zone. The dot (".") zone identifies the DNS server as a root server. Typically, an Active Directory domain that needs external (Internet) access should not be configured as a root DNS server.

The server probably needs to reregister its IP configuration (by using Ipconfig) after you delete the dot ("."). The Netlogon service may also need to be restarted. Further details about this step are listed later in this article. • Manually repopulate the Active Directory DNS entries. You can use the Windows 2000 Netdiag tool to repopulate the Active Directory DNS entries. Netdiag is included with the Windows 2000 Support tools. At a command prompt, type netdiag /fix.

To install the Windows 2000 Support tools: 1. Insert the Windows 2000 CD-ROM. 2. Browse to Support\Tools. 3. Run Setup.exe in this folder. 4. Select a typical installation. The default installation path is Systemdrive:\Program Files\Support Tools.

Page 168: Interview Questions Dump

After you run the Netdiag utility, refresh the view in the DNS Management console. The Active Directory DNS records should then be listed.

NOTE: The server may need to reregister its IP configuration (by using Ipconfig) after you run Netdiag. The Netlogon service may also need to be restarted.

If the Active Directory DNS records do not appear, you may need to manually re-create the DNS zone.

• After you run the Netdiag utility, refresh the view in the DNS Management console. The Active Directory DNS records should then be listed.Manually re-create the DNS zone: 1. Start the DNS Management console. 2. Right-click the name of the zone, and then click Delete. 3. Click OK to acknowledge any warnings. The Forward Lookup zones no longer list the deleted zone. 4. Right-click Forward Lookup Zones, and then click New Zone. 5. The New Zone Wizard starts. Click Next to continue. 6. Click the appropriate zone type (either Active Directory-integrated or Standard primary, and then click Next. 7. Type the name of the zone exactly as it appears in Network Identification, and then click Next. 8. Click the appropriate zone file, or a new zone file. Click Next, and then click Finish to finish the New Zone Wizard. The newly created zone appears in the DNS Management console. 9. Right-click the newly created zone, click Properties, and then change Allow Dynamic Updates to Yes. 10. At a command prompt, type net stop netlogon, and then press ENTER. The Netlogon service is stopped. 11. Type net start netlogon, and then press ENTER. The Netlogon service is restarted. 12. Refresh the view in the DNS Management console. The Active Directory DNS records should be listed under the zone. If the Active Directory DNS records still do not exist, there may be a disjointed DNS namespace. If you suspect that there is a disjointed DNS namespace, see the "Disjointed DNS Namespace" section in this article. Dynamic Zone UpdatesMicrosoft recommends that the DNS Lookup zone accept dynamic updates. You can configure this by right-clicking the name of the zone, and then clicking Properties. On the General tab, the Allow Updates setting should be set to Yes, or for an Active Directory-integrated zone, either Yes or Only secure updates. If dynamic updates are not allowed, all host registration must be completed manually. DNS ForwardersTo ensure network functionality outside of the Active Directory domain (such as browser requests for Internet addresses), configure the DNS server to forward DNS requests to the appropriate Internet service provider (ISP) or corporate DNS servers. To configure forwarders on the DNS server: 1. Start the DNS Management console.

Page 169: Interview Questions Dump

2. Right-click the name of the server, and then click Properties. 3. Click the Forwarders tab. 4. Click to select the Enable Forwarders check box.

NOTE: If the Enable Forwarders check box is unavailable, the DNS server is attempting to host a root zone (usually identified by a zone named only with a period, or dot ("."). You must delete this zone to enable the DNS server to forward DNS requests. In a configuration in which the DNS server does not rely on an ISP DNS server or a corporate DNS server, you can use a root zone entry. 5. Type the appropriate IP addresses for the DNS servers that will accept forwarded requests from this DNS server. The list reads from the top down in order; if there is a preferred DNS server, place it at the top of the list. 6. Click OK to accept the changes.The SRV records have a format which follows the following convention: _service._protocol.DNSDomainName where DNSDomainName designates a Windows 2000 domain that DNS is authoritative for. Since Active Directory servers are accessed using LDAP service over TCP, then most entries will start with the prefix _ldap._tcp

For example, let's consider a ficticious domain test.swynk.com, with two Windows 2000 sites called EastCoast and WestCoast. In the proper working environment, DNS server would contain:

- an SRV record for each of domain controllers in the domain in the form: _ldap._tcp.test.swynk.com

- an SRV record for each domain controller in each site (this allows clients to locate domain controllers local to the site, in which they reside) in the form: _ldap._tcp.EastCost._sites.test.swynk.com and _ldap._tcp.WestCoast._sites.test.swynk.com.

- an SRV record for PDC emulator operation master for the domain, in the form: _ldap._tcp.pdc._msdcs.test.swynk.com

- an SRV record for each global catalog server in the domain, in the form: _ldap._tcp.gc._msdcs.test.swynk.com

- an SRV record for each global catalog in each site (this allows clients to locate global catalog servers local to the site, in which they reside), in the form: _ldap._tcp.EastCoast._sites.gc._msdcs.test.swynk.com and _ldap._tcp.WestCoast._sites.gc._msdcs.test.swynk.com

There also would be CNAME records referencing GUID (Globally Unique Identifier) for each domain controller in the test.swynk.com domain in the form: _ldap._tcp.DCGUID.domains._msdcs.test.swynk.com where DCGUID is the GUIDs of the Active Directory object representing this domain controller.

Page 170: Interview Questions Dump

NSLOOKUP.EXENSLOOKUP allows you to run quick queries for records existing on a particular DNS server. This can be done in one of two modes:

- interactive mode - for a single query lookup. For example, in order to find A record for win2kserver01.test.swynk.com on the DNS server 172.16.0.1, you would run: nslookup win2kserver01.test.swynk.com 172.16.0.1 which would return: Server: win2kdns.test.swynk.com Address: 172.16.0.1 Name: win2kserver01.test.swynk.com Address: 10.0.0.102

- non-interactive mode - for multiple record query, with a number of enhancements (for example a debugging feature). The non-interactive mode is run by typing at the command prompt: nslookup - DNS_IP_Address where DNS_IP_Address is the IP Address of the DNS server you want to query. This will display the > prompt, from which you can run nslookup specific commands. The examples below show how to get the listing of records described in the previous section:

SRV records for domain controllers in the test.swynk.com domain:

> set type=SRV > _ldap._tcp.test.swynk.com

SRV records for domain controllers within the EastCost site of the test.swynk.com domain:

> set type=SRV > _ldap._tcp.EastCoast._sites.test.swynk.com

PDC emulator operation master for the test.swynk.com domain

> set type=SRV > _ldap._tcp.pdc._msdcs.test.swynk.com

global catalog servers in the test.swynk.com domain:

> set type=SRV > _ldap._tcp.gc._msdcs.test.swynk.com

global catalog server in the EastCost site of the test.swynk.com domain:

Page 171: Interview Questions Dump

> set type=SRV > _ldap._tcp.EastCoast._sites.gc._msdcs.test.swynk.com

DNSCMD.EXEDNSCMD.EXE is located in the \SUPPORT\TOOLS folder on the Windows 2000 installation CD. It is a command line utility which offers a wide range of DNS management functions. For example, you can use it to list the DNS settings, such as whether the server is using fast zone transfer method (a feature referred to using the term BINDSecondaries):

dnscmd.exe 172.16.0.1 /info BindSecondaries Query result: Dword: 1 (00000001) Command completed successfully.

This setting can be changed using the following command:

dnscmd.exe 172.16.0.1 /config /BindSecondaries 0 Registry property BindSecondaries successfully reset. Command completed successfully.

To illustrate some of DNSCMD.EXE potentials, I'll cover its ability to manage the process of aging of DNS records. Aging allows automated scavenging of stale records that haven't been refreshed within a configurable time interval. Aging can be set on a per server, per zone, and per record basis. The following examples modify the configuration of the aging process on the DNS server 172.16.0.1:

- setting default refresh interval for the server 172.16.0.1 to 168 hours (7 days)

dnscmd.exe 172.16.0.1 /config /DefaultRefreshInterval 168 Registry property DefaultRefreshInterval successfully reset. Command completed successfully.

- setting default norefresh interval for the server 172.16.0.1 to 168 hours (7 days)

dnscmd.exe 172.16.0.1 /config /DefaultNoRefreshInterval 168 Registry property DefaultNoRefreshInterval successfully reset. Command completed successfully.

- setting scavenging period for the server 172.16.0.1 to 168 hours (7 days)

dnscmd.exe 172.16.0.1 /config /ScavengingInterval 168 Registry property ScavengingInterval successfully reset. Command completed successfully

- setting No Refresh interval for test.swynk.com zone

dnscmd.exe 172.16.0.1 /config test.swynk.com /NoRefreshInterval 168

Page 172: Interview Questions Dump

Registry property RefreshInterval successfully reset. Command completed successfully.

- setting refresh interval for test.swynk.com zone

dnscmd.exe 172.16.0.1 /config test.swynk.com /RefreshInterval 168 Registry property RefreshInterval successfully reset. Command completed successfully.

- setting scavenging servers (servers allow to scavenge the zone test.swynk.com) - option available only through DNSCMD.EXE

dnscmd 172.16.0.1 /ZoneResetScavengeServers test.swynk.com 172.16.0.1 New scavenge servers:server Count = 1 server[0] => 172.16.0.1 Reset scavenging servers on zone test.swynk.com successfully. Command completed successfully.

You can also list records within a specific zone, in a similar way this was done previously with NSLOOKUP.EXE command. For example, here are the ways to list:

- all the domain controllers in the EastCoast site of the test.swynk.com domain

dnscmd.exe 172.16.0.1 /EnumRecords test.swynk.com tcp.EastCoast._sites.test.swynk.com. /Continue Returned Records: _gc [Aging:3509520] 600 SRV 0 100 3268 win2kserver01.test.swynk.com. _kerberos [Aging:3509520] 600 SRV 0 100 88 win2kserver01.test.swynk.com. _ldap [Aging:3509521] 600 SRV 0 100 389 win2kserver01.test.swynk.com. Command completed successfully.

where numbers appearing to the left of the server name designate port numbers used by appropriate protocols: 389 standard LDAP queries 3268 LDAP queries against global catalog server 88 Kerberos for TCP authentication

- all domain controllers in the test.swynk.com zone.

dnscmd 172.16.0.1 /EnumRecords test.swynk.com _tcp.pdc._msdcs.test.swynk.com. /Continue Returned records: _ldap [Aging:3509521] 600 SRV 0 100 389 win2kserver01.test.swynk.com. Command completed successfully.

Windows 2000 WMI DNS ProviderDNS WMI Provider creates and populates WMI classes, which reference information contained in DNS zones and their resource records. The provider can

Page 173: Interview Questions Dump

be used to manipulate DNS servers, zones, and individual records. All necessary files are downloadable from the Microsoft FTP Site at ftp://ftp.microsoft.com/reskit/win2000/dnsprov.zip.

To install the provider, after extracting the content of the zip file, copy the dnsschema.mof to %systemroot%\system32\wbem\mof folder. The file should get automatically compiled and moved to the Good subfolder. Then copy the dnsprov.dll to the %systemroot%\system32\wbem folder and register it with the operating system by running: regsvr32 dnsprov.dll. You should get the confirmation of the successfull registration.

You can review the classes created by the MOF file compilation by either checking the documentation provided with the source files or by running any of the utilities included with WMI SDK (such as CIM WMI Studio) or WbemTest.exe, available on any computer with WMI installed (any Windows 2000 computer). DNS Provider populates a separate namespace in the WMI hierarchy - root\MicrosoftDNS. The namespace contains about 30 DNS related classes.

Along with the provider dll and MOF file, the downloaded zip file contains several VBScript examples, which allow you to accomplish most of the DNS related management tasks. For example, dnsserver.vbs can be used to:

- stop DNS server cscript //nologo dnsserver.vbs stop

- start DNS server cscript //nologo dnsserver.vbs start <- restart DNS server script //nologo dnsserver.vbs restart

- list DNS server configuration cscript //nologo dnsserver.vbs LIST

- list zones on the DNS server cscript //nologo dnsserver.vbs zone

- modify the configuration of the DNS server cscript //nologo dnsserver.vbs modify

With dnszones.vbs, you can create, modify, add, delete, pause, update, resume, reload, and refresh DNS zones. dnsrecord.vbs allows you to add, delete, modify, and list resource records.

36.Explain about DHCP and about Super ScopeDynamic Host Configuration Protocol was derived from the Internet standard Bootstrap Protocol

(BOOTP) (RFCs 951 and 1084), which allowed dynamic assignment of IP addresses (as well as

remote-booting of diskless work stations). In addition to supporting dynamic assignment of IP

Page 174: Interview Questions Dump

addresses, DHCP supplies all configuration data required by TCP/IP, plus additional data required for

specific servers.

As noted, this makes life easier for the network administrator, who can now manually configure just

one machinethe DHCP server. Whenever a new host is plugged into the network segment that is

served by the DHCP server (or an existing host is turned back on), the machine asks for a unique IP

address, and the DHCP server assigns it one from the pool of available IP addresses.

This process, shown in Figure 1 below, involves just four steps: The DHCP client asks for an IP

address (DHCP Discover), is offered an address (DHCP Offer), accepts the offer and requests the

address (DHCP Request), and is officially assigned the address (DHCP Acknowledge).

Figure 1. DHCP automates the assignment of IP addresses

To make sure addresses are not wasted, the DHCP server places an administrator-defined time limit on the address assignment, called a lease. Halfway through the lease period, the DHCP client requests a lease renewal, and the DHCP server extends the lease. This means that when a machine stops using its assigned IP address (for example, on being moved to another network segment or being retired), the lease expires, and the address is returned to the pool for reassignment.

Super Scope :Using superscopesA superscope is an administrative feature of DHCP servers running Windows Server 2003 that you can create and manage through the DHCP console. Using a superscope, you can group multiple scopes as a single administrative entity. With this feature, a DHCP server can:

• Support DHCP clients on a single physical network segment (such as a single Ethernet LAN segment) where multiple logical IP networks are used. When more than one logical IP network is used on each physical subnet or network, such configurations are often called multinets.

Page 175: Interview Questions Dump

• Support remote DHCP clients located on the far side of DHCP and BOOTP relay agents (where the network on the far side of the relay agent uses multinets).

In multinet configurations, you can use DHCP superscopes to group and activate individual scope ranges of IP addresses used on your network. In this way, the DHCP server computer can activate and provide leases from more than one scope to clients on a single physical network.

Superscopes can resolve certain types of DHCP deployment issues for multinets, including situations in which:

• The available address pool for a currently active scope is nearly depleted, and more computers need to be added to the network. The original scope includes the full addressable range for a single IP network of a specified address class. You need to use another IP network range of addresses to extend the address space for the same physical network segment. • Clients must be migrated over time to a new scope (such as to renumber the current IP network from an address range used in an existing active scope to a new scope that contains another IP network range of addresses). • You want to use two DHCP servers on the same physical network segment to manage separate logical IP networks.

39.What is Schema masterUnderstanding that all resources in Active Directory are represented by objects, and that all objects have attributes, we can now understand that the schema contains the definitions for all these objects and attributes. Put another way, the schema is the rules that govern what objects can be in the directory, and what attributes those objects can have.

An Active Directory forest can have only one schema, and all domains in that forest share the same schema. This ensures that all objects in the forest conform to the same set of rules. The schema can be changed, or extended, to include new definitions. The schema is protected from unauthorized changes by permissions, similar to other Active Directory objects.

The schema is made up of two things: object classes, and attributes.

Object Classes:We know that there are objects represented in Active Directory, such as the user "Bob," or the printer "Accounting." These objects are examples of the object classes "User" or "Printer." Every object that can be created in AD is an example of a object class. So one of the things that the schema is made up of is a list of all of the possible object classes. Every new object that is created must belong to an object class in this list.

Attributes:A list of all of the possible attributes for object classes is the second part of the

Page 176: Interview Questions Dump

schema. These attributes are defined just once in this list, but can be used in multiple object classes. For instance, the attribute "Location" may be used for the object classes of both printers and computers, but it is defined only once in the schema. By defined, we mean that it is given a unique name, as well as a syntax. The syntax tells what data type the attribute is. The schema keeps track of which attributes are used with each object class, so that when a new object of the class "User" is created, it will have all of the same attributes as all the other user objects (full name, telephone, etc.).

The schema itself is actually stored inside Active Directory, as opposed to being read in from a text file, as is common with some databases or directories. According to Microsoft, this has three advantages:

The schema is dynamically available to user applications, so they can read it and discover what object classes and attributes are available for use.

The schema is dynamically updateable, so that an application can extend the schema (add object classes and attributes) "on the fly."

The schema can be protected using DACLs (discretionary access control lists), enabling only authorized users to make schema changes.there is one and only one Schema Master in a forest, and the purpose of this role is to replicate schema changes to all other domain controllers in the forest. Since the schema of Active Directory is rarely changed however, the Schema Master role will rarely do any work. Typical scenarios where this role is used would be when you deploy Exchange Server onto your network, or when you upgrade domain controllers from Windows 2000 to Windows Server 2003, as these situations both involve making changes to the Active Directory schema.

51.what is use of stub zone in DNS?

A stub zone is like a secondary zone in that it obtains its resource records from other name servers (one or more master name servers). A stub zone is also read-only like a secondary zone, so administrators can't manually add, remove, or modify resource records on it. But the differences end here, as stub zones are quite different from secondary zones in a couple of significant ways.  

First, while secondary zones contain copies of all the resource records in the corresponding zone on the master name server, stub zones contain only three kinds of resource records: 

A copy of the SOA record for the zone.

Copies of NS records for all name servers authoritative for the zone.

Copies of A records for all name servers authoritative for the zone.That's it--no CNAME records, MX records, SRV records, or A records for other hosts in the zone

So while a secondary zone can be quite large for a big company's network, a stub zone is always very small, just a few records. This means replicating zone information from master to stub zone adds almost nil DNS traffic to your network as the records for name servers rarely change unless you decommission an old name server or deploy a new one. And to make replication even more efficient, stub zones don't use UDP as traditional DNS zone transfers do. Instead, stub zones use TCP, which supports much larger packet sizes than UDP. So while a typical zone transfer might involve many UDP packets flooding the network, stub zone transfer only involves a few packets at most. Also, while most DNS servers can be configured to prevent zone transfers to secondary zones from occurring, stub zones request only SOA, NS, and A records for name servers, all of which are provided without restriction by any name server since these records are essential for name

Page 177: Interview Questions Dump

resolution to function properly. Finally, since stub zones can be integrated within Active Directory (secondary zones can't), they can make use of Active Directory replication to propagate their information to all domain controllers on your network.  

In our previous scenario, stub zones can be used instead of secondary zones to reduce the amount of zone transfer traffic over the WAN link connecting the two companies. To do this, the administrator for Company A would simply log on to one of the domain controllers, open the DNS console, and create a new stub zone that uses one or more of Company B's name servers as master name servers. By making this stub zone an Active Directory Integrated zone, the stub zone will then be automatically replicated to all other domain controllers on Company A's network. Now when a client on Company A's network wants to connect to a resource on Company B's network, the client issues a DNS query to the nearest Company A domain controller, which then forwards the query to one of Company B's name servers to resolve.  

49.what is difference between basic disc and dynamic disk?

As you probably know, Windows NT supports four primary partitions per physical hard disk, one of which can be an extended partition. Of course, you can create logical drives within the extended partition. Windows 2000 (Win2K) follows the same strategy: You can have a maximum of four primary partitions, one of which can be an extended partition with logical drives. However, Win2K supports two new disk configuration types—basic disk and dynamic disk—which you must understand to effectively configure and troubleshoot Win2K disk storage.

Basic Disk A Win2K basic disk, which is similar to the disk configuration we're used to in NT, is a physical disk with primary and extended partitions. As long as you use an appropriate format, Win2K, NT, Windows 9x, and DOS can access basic disks. Unlike in NT, you don’t need to commit changes or restart your computer to get Disk Management changes to take effect.

Dynamic Disk A Win2K dynamic disk is a physical disk that doesn't use partitions or logical drives. Instead, it contains only dynamic volumes that you create in the Disk Management console. Regardless of what format you use for the file system, only Win2K computers can access dynamic volumes directly. However, computers that aren't running Win2K can access the dynamic volumes remotely when connected to the shared folders over the network. In NT, what we call sets (e.g., mirrored sets, striped sets) are in Win2K called volumes (e.g., mirrored volumes, striped volumes).

With dynamic disks, we can create fault-tolerant volumes such as striped, mirrored, and RAID-5 volumes. In addition, we can extend volumes and make changes to the disk without rebooting the computer. If you want to take advantage of these features, especially software fault- tolerant features, you must upgrade to dynamic disk.

Upgrading to Dynamic Disk You use Win2K's Disk Management to upgrade a basic disk to a dynamic disk. Click Start and go to Programs, Administrative Tools, Computer Management.

Page 178: Interview Questions Dump

You’ll find Disk Management under Storage, as Screen 1 shows. Click the gray area where you see the disk icon and the word Basic. Right-click and select Upgrade to Dynamic Disk. Note that you can’t dual-boot to another OS if you upgrade to dynamic disk, which typically isn't a big deal for servers, but it's something to think about for Windows 2000 Professional (Win2K Pro) machines.

For all practical purposes, upgrading to a dynamic disk is a one-way process. Although it's possible to convert a dynamic disk with volumes to a basic disk, you'll lose all your data. Therefore, you must first save your data, convert the disk to basic, and then restore your data.

Comparing Basic Disk to Dynamic Disk When you install Win2K on a computer, the system automatically configures the hard disks as basic disks. You can convert a basic disk to a dynamic disk using Disk Management, but you can't extend a basic disk. In other words, you can only extend volumes you created after you converted the disk to a dynamic disk.

You can create primary and extended partitions on a basic disk, and, as I mentioned earlier, you can create an extended partition with logical drives on a basic disk. A dynamic disk can contain simple, spanned, mirrored, striped, and RAID-5 volumes. You can also extend a simple or spanned volume on a dynamic disk.

Win2K doesn't support dynamic disks on laptops, and, unless you're using an older machine that's not Advanced Configuration and Power Interface (ACPI)-compliant, the Upgrade to Dynamic Disk option won’t be available. Dynamic disks have some additional limitations. You can’t install Win2K on a dynamic volume you created from raw space on a dynamic disk. You can install Win2K on a dynamic volume that you upgraded from a basic disk, but you can’t extend either the system or the boot partition. Any troubleshooting tools that are unable to read the dynamic Disk Management database will work only on a basic disk.

You can use NTFS, FAT32, or FAT16 on a basic or a dynamic disk. Because the upgrade from basic to dynamic is per physical disk, all volumes on a physical disk must be either basic or dynamic. As I mentioned earlier, you don’t need to save changes in Disk Management (as you do in NT’s Disk Administrator) or restart your computer when you upgrade from a basic to a dynamic disk. However, if you upgrade your startup disk or upgrade a volume or partition, you must restart your computer.

Basic and dynamic disks are a new way of looking at hard disk configuration. If you're migrating to Win2K from NT, the dynamic disk concept might seem strange initially, but you’ll find that once you understand the differences and the pros and cons, working with dynamic disks is not complicated.

Page 179: Interview Questions Dump

New questions & Answers:

1. What’s the difference between local, global and universal groups? Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.

2. I am trying to create a new universal user group. Why can’t I? Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.

3. What is LSDOU? It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.

4. Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exist, it has the highest priority among the numerous policies.

5. Where are group policies stored? %SystemRoot%System32\GroupPolicy 6. What is GPT and GPC? Group policy template and group policy container. 7. Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\

GUID 8. You change the group policies, and now the computer and user settings are

in conflict. Which one has the highest priority? The computer settings take priority.

9. You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do? gponame–> User Configuration–> Windows Settings–> Remote Installation Services–> Choice Options is your friend.

10. What’s contained in administrative template conf.adm? Microsoft NetMeeting policies

11. How can you restrict running certain applications on a machine? Via group policy, security settings for the group, then Software Restriction Policies.

12. You need to automatically install an app, but MSI file is not available. What do you do? A .zap text file can be used to add applications using the Software Installer, rather than the Windows Installer.

13. What’s the difference between Software Installer and Windows Installer? The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.

14. What can be restricted on Windows Server 2003 that wasn’t there in previous products? Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may be selectively restricted from modifying their IP address and other network configuration parameters.

Page 180: Interview Questions Dump

15. How frequently is the client policy refreshed? 90 minutes give or take. 16. Where is secedit? It’s now gpupdate. 17. You want to create a new group policy but do not wish to inherit. Make sure

you check Block inheritance among the options when creating the policy. 18. What is "tattooing" the Registry? The user can view and modify user

preferences that are not stored in maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the Registry.

19. How do you fight tattooing in NT/2000 installations? You can’t. 20. How do you fight tattooing in 2003 installations? User Configuration -

Administrative Templates - System - Group Policy - enable - Enforce Show Policies Only.

21. What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move between workstations or those who must periodically work offline.

22. What’s the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local files.

23. How do FAT and NTFS differ in approach to user shares? They don’t, both have support for sharing.

24. Explan the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.

25. I have a file to which the user has access, but he has no folder permission to read it. Can he access it? It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file into Run… window.

26. For a user in several groups, are Allow permissions restrictive or permissive? Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.

27. For a user in several groups, are Deny permissions restrictive or permissive? Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.

28. What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

29. What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations? The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant root nodes may include multiple connections to the same data residing in different shared folders.

Page 181: Interview Questions Dump

30. We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.

31. Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition Knowledge Table, which is then replicated to other domain controllers.

32. Can you use Start->Search with DFS shares? Yes. 33. What problems can you have with DFS installed? Two users opening the

redundant copies of the file at the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be propagated through DFS.

34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a standalone one.

35. Is Kerberos encryption symmetric or asymmetric? Symmetric. 36. How does Windows 2003 Server try to prevent a middle-man attack on

encrypted line? Time stamp is attached to the initial client request, encrypted with the shared key.

37. What hashing algorithms are used in Windows 2003 Server? RSA Data Security’s Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.

38. What third-party certificate exchange protocols are used by Windows 2003 Server? Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA certificates with third-party certificate authorities.

39. What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.

40. If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1? A cracker would launch a dictionary attack by hashing every imaginable term used for password and then compare the hashes.

41. What’s the difference between guest accounts in Server 2003 and other editions? More restrictive in Windows Server 2003.

42. How many passwords by default are remembered when you check "Enforce Password History Remembered"? User’s last 6 passwords.

37.Explain about group policies and trouble shooting tools26.what is ADS site Connector.40.Explain about Remote access server ( RRAS)41.Remote Installation42.Folder Redirection43.ADS architecture 45.What is difference between NT and Windows 200046. Differences between 2k and 2k347.Differences between 2k server ,adv server ,data center edition, web edition 48.what is differences between windows XP and Prof.

Page 182: Interview Questions Dump

52. What is forwarder in DNS54.explain about performance monitor of server 55.Explain about difference logs and event in event viewer

1. What is MUTEX ? 2. What isthe difference between a ‘thread’ and a ‘process’? 3. What is INODE? 4. Explain the working of Virtual Memory. 5. How does Windows NT supports Multitasking? 6. Explain the Unix Kernel. 7. What is Concurrency? Expain with example Deadlock and Starvation. 8. What are your solution strategies for “Dining Philosophers Problem” ? 9. Explain Memory Partitioning, Paging, Segmentation. 10. Explain Scheduling. 11. Operating System Security. 12. What is Semaphore? 13. Explain the following file systems : NTFS, Macintosh(HPFS), FAT . 14. What are the different process states? 15. What is Marshalling? 16. Define and explain COM? 17. What is Marshalling? 18. Difference - Loading and Linking ?

1. User(s) are complaining of delays when using the network. What would you do? 2. What are some of the problems associated with operating a switched LAN? 3. Name some of the ways of combining TCP/IP traffic and SNA traffic over the

same link. 4. What sort of cabling is suitable for Fast Ethernet protocols? 5. What is a Class D IP address? 6. Why do I sometimes lose a server’s address when using more than one server? 7. What is Firewall? 8. How do I monitor the activity of sockets? 9. How would I put my socket in non-blocking mode? 10. What are RAW sockets? 11. What is the role of TCP protocol and IP protocol. 12. What is UDP? 13. How can I make my server a daemon? 14. How should I choose a port number for my server? 15. Layers in TCP/IP 16. How can I be sure that a UDP message is received? 17. How to get IP header of a UDP message 18. Writing UDP/SOCK_DGRAM applications 19. How many bytes in an IPX network address? 20. What is the difference between MUTEX and Semaphore? 21. What is priority inversion? 22. Different Solutions to dining philosophers problem.

Page 183: Interview Questions Dump

23. What is a message queue? 24. Questions on Shared Memory. 25. What is DHCP? 26. Working of ping, telnet, gopher. 27. Can I connect two computers to internet using same line ?

Networking

1.Explain about OSI layers2.Explain about TCP/IP implementation3.Explain about class full and class less address4.Explain about IP Address and Class5.what is difference between switch and hub6.what is difference between layer 2 and layer 3 switch7.what is difference between layer 3 switch and Router8.what is Routed protocol and routing protocol9.Difference between RIP ,IGRP and EIGRP10.What is difference between link state and Distance sector 11.explain about ISDN channels12.Explain about leased line modems and it voltages 13.what is static and dynamic routing14.Explain about Lan technologies15.Explain About Wan technologies15. what kind of loops available and explain them?16. If a serial interface on a router has a status of line protocol down and protocol down.17. what is the command used for creating access lists18. how do you monitor broad cast based traffic on the switch