1. Can I deploy non-MSI software with GPO?

Yes, you can. Apart from MSI packages, GPO also supports deployment
of ZAP files
2. How frequently is the client policy refreshed ?
By default, group policy is updated in the background every 90
minutes.You can specify an update rate from 0 to 44,640 minutes (31
days). If you select 0 minutes, the computer tries to update Group
Policy every 7 seconds. However, because updates might interfere
with users' work and increase network traffic, very short update
intervals are not appropriate for most installations.
The refresh interval can be configured manually using group policy GPO --> Computer Configuration --> Administrative Templates -->
System --> Group Policy --> Set Group Policy refresh interval for
Computers
3. How does the Group Policy No Override and Block Inheritance
work ?
No Override - This prevents child containers from overriding policies
set at higher levels
Block Inheritance - Stops containers inheriting policies from parent
containers
4. Why cant you restore a DC that was backed up 4 months ago?
The reason is 'Tombstoning' . If a domain controller was restored from
a backup that was older than the tombstone lifetime, then the domain
controller might contain deleted objects, and because the tombstones
are deleted from the replica, the deletion event does not replicate into
the restored domain controller. This is why Backup does not allow you
to restore data from a backup that is older than the tombstone
lifetime.
More details about tombstoning
- http://www.systemadminguide.in/2013/11/active-directory-tombstone.html
5. I want to look at the RID allocation table for a DC. What do I do?
Dcdiag.exe /TEST:RidManager /v | find /i "Available RID Pool for the
Domain"
6. Can you connect Active Directory to other 3rd-party Directory
Services? Name a few options.
Microsoft Identity Integration Server (MIIS)
Forefront Identity Manager (FIM)
7. Can you explain Netlogon services ?
The Netlogon services help the client servers to connect to the
Domain
8. What is urgent replication in AD ?
Object 2
1

 Normally, a change in a DC (say DC1) is notified to its replication

partner(say DC2) after 15 seconds. Once the change is notified, DC2
makes the change in its database. DC2 then notifies its replication
partner after another 15 seconds. If it's a multi-site setup, the 15
seconds delay would cost a big delay for the final recipient DC.
Suppose if the change was an 'Account Lock Out', this big delay will be
a pain. Here comes Urgent notification. Urgent notification bypasses
the change notification delay and processes the change immediately
across all DCs.
9. How to migrate AD location to another ? (from C:\AD to D:\AD)
First, stop the Active Directory Domain Services
Open Command Prompt with Admin privilege
Run ntdsutil tool
In the ntdsutil prompt, type Activate instance ntds
Then type files
In the next prompt (file maintenance), type move db to D:\AD
Once the database is moved, move the logs using the command
move logs to D:\AD
Once completed, start the Active Directory Domain Services
10.What is the schema version of Windows 2008 R2 ?
Windows 2003 R2 - 31
Windows 2008
- 44
Windows 2008 R2 - 47
Windows 2012
- 56
Windows 2012 R2 - 69
11.Whats the number of permitted unsuccessful logons for
Administrator account?
Unlimited - Only for Administrator, not for others in Administrators
group
12.Difference between Everyone and Authenticated users?
Authenticated Users - Include all Users and Computers whose
identities have been authenticated.
Everyone - For Windows 2003 and above, 'Everyone' includes all
Authenticated Users including Guest accounts. Before Windows 2003,
'Everyone' includes all Authenticated Users , Guest accounts and
Anonymous account.
13.How many passwords by default are remembered when you check
2

Enforce Password History Remembered?

24
14.What is an IP Helper address feature and why is it required in a
DHCP environment ?
IP helper-address helps to implement DHCP relay agent in Cisco
routers
This is configured at the network interface of the router containing the
DHCP client
The IP helper-address intercepts the DHCP discover message from the
client and unicasts it to the DHCP server after adding 'Option 82'.
With the help of Option 82, the DHCP server identifies the client
network and assigns an IP from that network.
15.What is FRS and DFS-R ?
File Replication Service (FRS), introduced in Windows 2000 server to
replicate DFS and Sysvol folder in DC. FRS is no longer used in new
versions.
Distributed File System Replication (DFS-R), introduced in Windows
2008R2, came out as a replacement to FRS for replicating DFS and
Sysvol.
16.What is group policy preference ?
Group policy preference is a set of new settings that were released
with Windows 2008, that allows IT administrators to do anything they
want to configure in a corporate environment.
17.What is the use of LDP.exe
This is a part of Windows Support tools which helps us to make any
LDAP searches against the Active Directory
18.How to replace a failed RAID controller ?
This depends on the type of controller used. If you are using modern
RAID controllers and are trying to replace with the same model, then
the RAID should work without any issues as the RAID configuration or
metadata is stored in the disk array. But you should ensure that you
are using the same model from vendor or a model which is compatible
with the failed controller.
19.What is the difference between RAID 1 and RAID 5 ?
RAID 1 - Mirroring - This RAID configuration gives you maximum
redundancy as the same data is written into two disks at a time. But
this solution will be costly as you always need to have disks double of
what you actually require. Minimum 2 disks required.
3

 RAID 5 - This RAID is the most popular RAID configuration. This works
on the parity principle. Minimum 3 disks required. Even if one disk fail,
the data of the failed disk can be calculated from the parity stored in
the other 2 disks.
20.In RAID 5, which activity is faster - Read or Write ?
Good Read performance but slower Write operations due to parity
calculation.
RAID 0 and RAID 1 has got excellent Read and Write performance.
21.Can we setup an AD site without a DC ?
Yes..
22.What is DAS ? How is it connected to the server ?
DAS is Direct Attached Storage. DAS is available with many vendors.
When a server has exhausted all its storage resource, we can connect
a DAS solution to it. DAS can be connected to a server using SAS
cable.
23.How is an iscsi device connected to a server ?
An iscsi device can be connected using the iqn number.
24.How can I add new HDD space to an existing drive ?
Convert the drive from Basic to Dynamic
25.What happens when a standalone host is taken into maintenance
mode ?
The activity will wait until all VMs are shutdown.
26.What if all GC in the environment are down ?
GC is required for multi domain forests - In a single domain
infrastructure, the DCs will not contact the GC for authenticating. But
in multi domain infrastructure, GC is required for authentication.
Universal Group Membership evaluation - Universal Group Membership
which exists in a multi domain forests works only with GC.
UPN resolution - The users cannot login to the domain using the
username abc@example.com
27.How to update Dell server BIOS ?
Dell provides the update in different file formats. One for Windows ,
one for linux...If it is a VMware server, then download the NonPackaged exe format from Dell website and copy it to a DOS bootable
USB drive. Shutdown the server and boot from USB drive and execute
the file.
28.DSET
Dell Server E-Support Tool (DSET) provides the ability to collect
4

hardware, storage and operating system information from Dell

PowerEdge server.
29.How to upgrade ESXi 5.1 to ESXi 5.5 ?
Using vSphere update manager
Upgrade interactively using the ESXi installer ISO image on CD/DVD or Flash drive
Using vSphere Auto Deploy
Using esxcli command-line interface
1. Maximum number of LUNs that can be attached to a host (ESXi 5.0)
256

2. Maximum number of vCPUs that can be assigned to a VM (ESXi 5.0)

32

3. What are the uses of ntdsutil tool?

Some of the main uses of ntdsutil tool
1. Authoritative Restore - Authoritatively restores the Active Directory
database or AD LDS instance
2. ifm - Create installation media for writable and RODC setups (Offline
DC provisioning)
3. metadata cleanup - Cleans up objects of decommissioned servers
4. roles - Transfers and seizes operations master roles
5. set DSRM password - Resets DSRM administrator password
6. snapshot - Manages snapshots of the volumes that contain the
Active Directory database and log files

4. FSMO roles and its failure scenarios

http://www.systemadminguide.in/2013/07/fsmo-roles-in-nutshell.html

5. IPv6

addresses and its DNS record

128 bit address
Represented as 8 groups of 4 hexadecimel digits seperated by colons
Represented by AAAA record in DNS
Uses DHCP v6 for addressing

6. Loadbalancer vs Clustering
Clustering
1. Cluster is a group of resources that are trying to achieve a common
objective, and are aware of one another.
2. Clustering usually involves setting up the resources (servers usually)
to exchange details on a particular channel (port) and keep
exchanging their states, so a resources state is replicated at other
places as well.
3. It usually also includes load balancing, wherein, the request is routed
to one of the resources in the cluster as per the load balancing policy
Load Balancing
1. Used to forward requests to either one server or other, but one
server does not use the other servers resources. Also, one resource
does not share its state with other resources.

7. Software installation using group policy

This can be done using 2 methods
1. Assigning
2. Publishing
Assign :
1. If you assign the program to a user, it is installed when the user logs
on to the computer. When the user first runs the program, the
installation is completed.
2. If you assign the program to a computer, it is installed when the
computer starts, and it is available to all users who log on to the
computer. When a user first runs the program, the installation is
completed.
Publish :
1. You can publish a program distribution to users.
2. When the user logs on to the computer, the published program is
displayed in the Add or Remove Programs dialog box, and it can be
installed from there.
msi packages are used for installation. Normal exe would not work.
Windows cannot install the software while the user is already logged on.
The user need to log off and log in

8. Group policy security filtering for users. Which all users are in there by
default. Members of Authenticated Users group
Security filtering is a way of refining which users and computers will
receive and apply the settings in a Group Policy object (GPO)
In order for the GPO to apply to a given user or computer, that user or
computer must have both Read and Apply Group Policy (AGP) permissions
on the GPO, either explicitly, or effectively through group membership
By default, all GPOs have Read and AGP both Allowed for the Authenticated
Users group.
The Authenticated Users group includes both users and computers. This is
how all authenticated users receive the settings of a new GPO when it is
applied to an organizational unit, domain or site

9. Relevance of host file and its location

Came before the concept of DNS
An FQDN is first checked in Host file
Location : C:\Windows\System32\Drivers\etc

10.L3 switch vs Routers

L3 switches just have the ethernet ports only whereas the routers have
WAN interfaces
QoS is not available with L3 switches whereas in routers it can be enabled
Routers have expansion slots and cards that allow them to use different
media types, like serial connections for T1 and T3 circuits
Routers are more intelligent in handling packets
L3 switches does not support NAT

11.VLAN vs Subnet
VLAN works at layer 2 while subnet is at layer 3
Subnets are more concerned about IP addresses.
VLANs bring more network efficiency
Subnets have weaker security than VLANs as all the subnet uses the same
physical network

12.Contents of System state backup

Registry
COM+ Class Registration database
Boot files, including the system files
System files that are under Windows File Protection
Active Directory directory service (If it is domain controller)
SYSVOL directory (If it is domain controller)
Cluster service information (If it is a part of a cluster)
IIS Metadirectory (If it is an IIS server)
Certificate Services database (If it is a certificate server)

13.Incremental vs Differential backups

Incremental backup - Will take the backup of files whose archive bits are
set and resets it after backup
Differential backup - Will take the backup of files whose archive bits are set
but does not reset it after backup

14.Robocopy
Microsoft tool used for copying files effectively
It has plenty of options to manage the copy process

15.How do you patch microsoft applications? Frequency of patches

released by Microsoft
The Microsoft applications can be patched using WSUS
In WSUS, we can create several computer groups to manage this patch
process.
MS patches are released once in a month

16.Explain GPO, GPC & GPT

GPO - Group Policy Object : Refers to the policy that is configured at the
Active Directory level and is inherited by the domain member computers.
You can configure a GPO at the site level, domain level or OU level. GPO
stores policy settings in two locations GPC and GPT
GPO behaviour : Local Policy > Site GPO > Domain GPO > OU GPO > Child

OU GPO
GPC - Group Policy Container :This is the AD portion of the group policy.
This can be viewed using ADSI edit. It stores version information, status
information, and other policy information. When you create a new GPO, an
AD object of class groupPolicyContainer gets created under the
System\Policies container within your AD domain
GPT - Group Policy Template : The GPT is where the GPO stores the actual
settings. It stores software policy script, and deployment information.
GPT is stored in SYSVOL share (\\DomainNameHere\SYSVOL\Policies)
whereas GPC is stored in the AD

17.What is CPU affinity in VMware? Its impact on DRS?

CPU refers to a logical processor on a hyperthreaded system and refers to
a core on a non-hyperthreaded system
By setting CPU affinity for each VM, you can restrict the assignment of VMs
to a subset of available processors
The main use of setting CPU affinity is when there are display intensive
workloads which requires additional threads with vCPUs.
DRS will not work with CPU affinity

http://frankdenneman.nl/2011/01/11/beating-a-dead-horse-using-cpu-affinity/

18.VMversion 4 vs VMversion 7
Version 4
1. Runs on ESX 3.x
2. Max supported RAM 64 GB
3. Max vCPUs 4
4. MS cluster is not supported
5. 4 NICs/VM
6. No USB Support
Version 7
1. Runs on vSphere 4.x
2. Max supported RAM 256 GB
3. Max vCPUs 8
4. MS cluster is supported
5. 10 NICs/VM

6. USB support

19.What happens to the VMs if a standalone host is taken to maintenance

mode?
In case of standalone servers , VMware recommends that VMs should be
powered off before putting the server in maintenance mode
If we put the standalone host in maintenance mode without powering off
the VMs, it will remain in the entering maintenance mode state until the
VMs are all shutdown
When all the VMs are powered down, the host status changes to under
maintenance
http://pubs.vmware.com/vsphere-4-esxvcenter/index.jsp#using_drs_clusters_to_manage_resources/c_using_maintenance_mod
e.html

20.What is new in Windows server 2012

Server core improvements: no need of fresh installation, you can
add/remove GUI from server manager
Remotely manage servers , add/remove roles etc using Server managermanage 2008 and 2008 R2 with WMF 3.0 installation, installed by default
in Server 2012
Remote server administration tools available for windows 8 to manage
Windows server 2012 infrastructure
Powershell v3
Hyper-V 3.0
1. supports upto 64 processors and 1 TB RAM per virtual machine
2. upto 320 logical hardware processors and 4 TB RAM per host
3. Shared nothing live migration, move around VMs without shared
storage
ReFS(Resilient file system), upgraded version of NTFS- supports larger file
and directory sizes. Removes the 255 character limitation on long file
names and paths, the limit on the path/filename size is now 32K
characters!
Improved CHKDSK utility that will fix disk corruptions in the background
without disruption

10

21.How does the backup software recognize that a file has changed since
last backup?
The files use a bit called archive bit for tracking any change in the file.
The backup softwares normally checks the archive bit of the file to
determine whether the file has to be backed up or not
22.How can you edit a vm template?
The VM templates cannot be modified as such
First , the VM template have to be converted to a virtual machine
After making necessary machines in the virtual machine, convert the
virtual machine back to template
23.VMware configuration maximums
ESXi 5.5

ESXi 5.1

ESXi 5.0

ESXi 4.x

VMs
vCPU

64

64

32

RAM

1 TB

1 TB

1 TB

255 GB

vNIC

10

10

10

10

VMDK size

62 TB

1 TB

1 TB

2 TB for 8MB block

Hosts
Logical CPU

320

160

160

160

Memory

4 TB

2 TB

2 TB

1 TB

LUNs

256

256

256

256

LUN size

64 TB

64 TB

64 TB

64 TB

Virtual Machines

512

512

512

320

24.What is the major difference between Windows server 2008 and

windows server 2012 in terms of AD promotion?
In Win 2012, dcpromo has been depreciated. In order to make a Windows server
2012 to a domain controller, the ADDS service has to be installed from the server
manager. After installation, run the post-deployment configuration wizard from server
manager to promote the server as AD
25.VMware hardware version comparison

11

What is vSAN?
It is a hypervisor-converged storage solution built by aggregating the local storage
attached to the ESXi hosts managed by a vCenter.
2. Recommended iSCSI configuration?
A separate vSwitch, and a separate network other than VMtraffic network for iSCSI
traffic. Dedicated physical NICs should be connected to vSwitch configured for iSCSI
traffic.
3. What is iSCSI port binding ?
Port binding is used in iSCSI when multiple VMkernel ports for iSCSI reside in the
same broadcast domain and IP subnet, to allow multiple paths to an iSCSI array that
broadcasts a single IP address.
4. iSCSI port binding considerations ?
Array Target iSCSI ports must reside in the same broadcast domain and IP subnet as the
VMkernel port.
All VMkernel ports used for iSCSI connectivity must reside in the same broadcast
domain and IP subnet.
All VMkernel ports used for iSCSI connectivity must reside in the same vSwitch.
Currently, port binding does not support network routing.
5. Recommended iSCSI configuration of a 6 NIC infrastructure ? (Answer changes as per
the infrastructure requirements)
2 NICs for VM traffic
2 NICs for iSCSI traffic
1 NIC for vMotion
1 NIC for management network
6. Post conversion steps in P2V
Adjust the virtual hardware settings as required
Remove non present device drivers
12

 Remove all unnecessary devices such as serial ports, USB controllers, floppy drives etc..
Install VMware tools
7. Which esxtop metric will you use to confirm latency issue of storage ?
esxtop --> d --> DAVG
8. What are standby NICs
These adapters will only become Active if the defined Active adapters have failed.
9. Path selection policies in ESXi
Most Recently Used (MRU)
Fixed
Round Robin
10.Which networking features are recommended while using iSCSI traffic
iSCSI port binding
Jumbo Frames
11.Ports used by vCenter
80,443,902
12.What is 'No Access' role
Users assigned with the 'No Access' role for an object, cannot view or change the object
in any way
13.When is a swap file created
When the guest OS is first installed in the VM
14.The active directory group, where the members will be ESXi administrators by default.
ESX Admins
15.Which is the command used in ESXi to manage and retrieve information from virtual
machines ?
vmware-cmd
16.Which is the command used in ESXi to view live performance data?
esxtop
17.Command line tool used in ESXi to manage virtual disk files?
vmkfstools
18.Port used for vMotion
8000
19.Log file location of VMware host
\var\log\vmware
20.Can you map a single physical NIC to multiple virtual switches ?
No
21.Can you map a single virtual switch to multiple physical NICs?
Yes. This method is called NIC teaming.

13

22.VMKernel portgroup can be used for:

vMotion
Fault Tolerance Logging
Management traffic
23.Major difference between ESXi 5.1 and ESXi 5.5 free versions
Till ESXi 5.1 free version there was a limit to the maximum physical memory to 32 GB.
But from 5.5 onwards this limit has been lifted.
24.What is IPAM server in Windows server 2012?
IPAM is IP Address Management server in Windows Server 2012. It enables central
management of both DHCP and DNS servers. It can also be used to
discover, monitor, and audit DHCP and DNS servers.
25.How to promote a server to domain controller in Windows server 2012?
DCPROMO was the conventional tool used to promote a normal server to DC. This is
now deprecated in Server 2012.
In Server 2012, you can convert a server into DC using the server manager console.
Under Server Manager, add a new role "Active Directory Domain Services"
Windows 2003 vs Windows 2008

RODC
WDS instead of RIS
Services have been changed as roles - server manager
Introduction of hyper V- only on 64 bit versions
Enhanced event viewer
Bitlocker feature
Server core installation without GUI
MMC 3.0, with three pane view
Key management services(KMS) to activate Windows OS without
connecting to Microsoft site
Performance enhancement using technologies like Windows
SuperFetch,ReadyBoost and Readydrive
Windows Aero user interface
Instant search
Support for IPv6 in DNS

2. ESX vs ESXi
ESXi has no service console which is a modified version of RHEL
ESXi is extremely thin hence results in fast installation + fast boot

14

 ESXi can be purchased as an embedded hypervisor on hardware

ESXi has builtin server health status check
3. ESXi 4.1 vs ESXi 5.0 - Migration
Local upgrade from CD
VMware update manager (only supports upgrade of ESX/ESXi 4.x to ESXi
5.0)

4. ESXi 4.1 vs ESXi 5.0 - Features

vSphere Auto deploy

Storage DRS
HA - Primary/secondary concept changed to master/slave
Profile driven storage
VMFS version - 3 5
ESXi firewall
VMware hardware version - 7 8
VMware tools version - 4.1 5
vCPU - 8 32
vRAM - 256 1 TB
VMs per host - 320 512
RAM per host - 1TB 2TB
USB 3.0 support
vApp

5. FSMO roles

6. GPO

15

Schema Master
Domain naming master
Infrastructure master
PDC Emulator
RID master

GPO
Templates (ADMX)
Block inheritance
Enforced
Loopback policy

7. Forest and Domain concepts

8. OSI layer

Application Layer
Presentation Layer
Sessions Layer
Transport Layer
Network Layer
DataLink layer
Physical Layer

9. ASA - site to site VPN

10.HA 5.0
Uses an agent called FDM - Fault domain manager
HA now talks directly to hostd instead of using vcenter agent vpxa
Master/slave concept
Master
monitors availability of hosts/VMs
manages VM restarts after host failure
maintains list of all VMs in each host
restarting failed VMs
exchanging state with vcenter
monitor state of slaves
Slave
monitor running VMs and send status to master and performs restart
on request from master
monitors master node health
if master fails, participates in election
Two different heartbeat mechanisms - Network heartbeat and datastore

16

heartbeat
Network heartbeat
Sends between slave and master per second
When slave is not receiving heartbeat from master, checks whether
it is isolated or master is isolated or has failed
Datastore heartbeat
To distinct between isolation and failure
Uses Power On file in datastore to determine isolation
This mechanism is used only when master loses network
connectivity with hosts
2 datastores are chosen for this purpose
Isolation response
PowerOff
Leave Powered On
Shutdown
11.vMotion
vMotion enables live migration of running virtual machines from one host
to another with zero downtime
Prerequisites
1. Host must be licensed for vMotion
2. Configure host with at least one vMotion n/w interface (vmkernel
port group)
3. Shared storage (this has been compromised in 5.1)
4. Same VLAN and VLAN label
5. GigaBit ethernet network required between hosts
6. Processor compatibility between hosts
7. vMotion does not support migration of applications clustered using
Microsoft clustering service
8. No CD ROM attached
9. No affinity is enabled
10.vmware tools should be installed
12.RAID
Redundant Array of Independent disks
A category of disk drives that uses 2 or more drives in a combination for
redundancy and performance
Most common RAIDs: RAID 0(Striped), RAID 1(Mirroring), RAID 5
13.Backup types
Backup types
1. Full backup - Will take the backup of all selected files and reset the

17

archive bit
2. Copy backup - Will take the backup of all selected files but does not
reset the archive bit
3. Incremental backup - Will take the backup of files whose archive bits
are set and resets it after backup
4. Differential backup - Will take the backup of files whose archive bits
are set but does not reset it after backup
14.2003 2008 migration
Can be done only by logging in to Windows 2003 server
Min of Windows 2003 SP1 required
Can be migrated only to same version, except for Windows server 2003
standard which can be migrated to either standard or enterprise
Extra space of 30 GB required prior migration
Cannot upgrade to server core
Perform forestprep and domainprep to 2008 using 2008 cd before
migrating. (Copy sources/adprep folder for this)
15.ESXi update manager

16.Global Catalog
Global catalog (GC) is a role handled by domain controllers in an Active
directory model.
The global catalog stores a full copy of all objects in the directory for its
host domain and a partial copy of all objects for all other domains in the
forest.
Partial copy refers to the set of attributes that are most used for
searching every object in every domain.
All domain controllers can be promoted as a GC.
GC helps in faster search of AD objects.
The replicas that are replicated to the global catalog also include the
access permissions for each object and attribute.
If you are searching for an object that you do not have permission to
access, you do not see the object in the list of search results. Users can
find only objects to which they are allowed access.
Global catalog server clients depend on DNS to provide the IP address of
global catalog servers. DNS is required to advertise global catalog servers
for domain controller location.
By default, first DC of in a forest will be a global catalog server

18

17.Basic networking concepts

18.RODC
New feature in Windows 2008
Only have the read only copy of directory database
RODC will have all the objects of a normal DC in read only mode. But this
doesnt include passwords. RODC does not store password of accounts.
Updates are replicated to RODC by writable DC
Password caching : A feature which enables RODC to cache password of
the logged in users.
Password Replication Policy: Determines whether the password can be
cached or not.
DNS can be integrated with RODC but will not directly register client
updates. For any DNS change, the RODC refers the client to DNS server
that hosts a primary or AD integrated zone
19.NAS vs SAN
Both used as storage solution
NAS can be used by any device connected using LAN whereas SAN is used
only by server class devices with SCSI
NAS is file based whereas SAN is block based storage
NAS is cheap while SAN is expensive
SAN is comparatively faster than NAS

20.What is DRS? Types of DRS

Distributed Resource Scheduler
It is a feature of a cluster
DRS continuously monitors utilization across the hosts and moves virtual
machines to balance the computing capacity
DRS uses vMotion for its functioning
Types of DRS
1. Fully automated - The VMs are moved across the hosts automatically.
No admin intervention required.
2. Partially automated - The VMs are moved across the hosts
automatically during the time of VM bootup. But once up, vCenter
will provide DRS recommendations to admin and has to perform it
manually.
3. Manual - Admin has to act according to the DRS recommendations

21.DRS prerequisites
19

 Shared storage
Processor compatibility of hosts in the DRS cluster
vMotion prerequisites

22.vMotion is not working. What are the possible reasons?

Ensure vMotion is enabled on all ESX/ESXi hosts
Ensure that all vmware pre requisites are met
Verify if the ESXi/ESX host can be reconnected or if reconnecting the
ESX/ESXi host resolves the issue
Verify that time is synchronized across environment
Verify that the required disk space is available
23.What happens if a host is taken to maintenance mode
Hosts are taken to maintenance mode during the course of maintenance
In a single ESX/ESXi setup, all the VMs need to be shutdown before getting
into maintenance mode
In a vCenter setup If DRS is enabled, the VMs will be migrated to other
hosts automatically.

24.How will you clone a VM in an ESXi without vCenter

Using vmkftools
Copy the vmdk file and attach to a new VM
Using VMware converter
25.Explain traverse folder
Allows or denies moving through a restricted folder to reach files and
folders beneath the restricted folder in the folder hierarchy.
Traverse folder takes effect only when the group or user is not granted the
"Bypass traverse checking user" right in the Group Policy snap-in. This
permission does not automatically allow running program files.

The netlogon service in DC is responsible for registering SRV records in the DNS server
under _tcp.dc._msdcs.domain.com. It then registers the SRV records of Domain
Controller under _sites.dc._msdcs.domain.com. based on their site location.
When a client first tries to login to an AD network, the client sends a DNS request for
finding the DC's under, _ldap._tcp.dc._msdcs.domain.com. From the list, it chooses a DC
server randomly for authenticating. Then the client sends an LDAP ping to the DC

20

asking for the site it is based on with respect to the IP address of the client. The DC
then returns the site which the client's IP address is most related to, along with the
current site and a flag DSClosestFlag which would be either 0 or 1 based on whether
the current authenticated DC is the closest to the client. If this flag indicates that the
client is not authenticated to the closest DC, the client sends a site specific DNS query
for finding the DC from _ldap._tcp._sitename._sites.dc._msdcs.domain.com.

Unique Sequence Number (USN)

USN is an AD database change tracking number. Any change or transaction made in a DC is
represented by a USN increment. The USN of DCs in the same domain need not be same.
The USN of a DC is particular only to that DC, also the USN of other DCs will be tracked in
the HWMV table of a DC.
Server Object GUID (DSA GUID)
DSA (Directory System Agent) GUID is used in USNs to track originating writes. It is also used
by DC to identify its replication partners. The value of DSA GUID is stored in objectGUID
attribure of the NTDS settings object. DSA GUID is created when AD is initially installed on a
DC and will not change during its lifetime until or unless the DC is removed from the
domain controller. DSA GUID ensures that the DC is recognizable even in case of a DC
rename.
Server Database GUID (Invocation GUID)
AD database has its own GUID which is used to identify the database version. The value of
Invocation GUID is stored in invocationId attribute of NTDS settings object. Unlike DSA
GUID, Invocation GUID is changed during an AD restore process to ensure replication
consistency.
Coming to the USN rollback scenario:
Cause
USN Rollback is mainly caused by restoring a DC using non Microsoft restore process like
Norton's Ghost, VMware snapshot etc.. or when we perform a V2V of an existing DC.
Explanation
When we restore DC using the conventional methods of AD restoration, the Invocation ID of
the DC will be reset which in turn resets the USN to make the DC understand that the
database is restored. The Invocation ID tracks the version of the database of DC. The
previous Invocation ID will be marked as retired. When we use methods other than the
conventional restoration methods, this ID will not be reset. This prevents other DC from
replicating with the rolledback DC, the changes made after the image was taken.
In this scenario, other DCs will believe that the rolled back DC will be holding updated data
and will not replicate, which makes the AD data inconsistent.
21

Resolution
1.
2.
3.
4.

Forcefully demote the DC

Remove metadata using metadata cleanup
Seize FSMO roles
Re promote the server

What is Sysvol ?
Sysvol is a special folder which is available in C:\Windows\SYSVOL directory in all
domain controllers within the domain. This special folder contains the domain's
Group Policy settings, default profiles and logon/logoff/startup/shutdown scripts.
When a user login to a client machine, it pulls all the group policy settings and
logon scripts available at its local DC's SYSVOL folder. For this reason, this folders
keeps on replicating between each other either using DFS-R (Distributed File
System Replication Service) or the primitive FRS (File Replication Service). Sysvol
directory can be accessed using :
\\domain-name\SYSVOL or
\\DC-name\SYSVOL
Contents of SYSVOL
If you access the location C:\Windows\SYSVOL, you will see 4 folders - domain,
staging, staging areas & sysvol.
First we will discuss about, sysvol and domain folders. The folder 'sysvol' is a
Junction Point (a kind of soft link) to the folder 'domain'. That means the actual
contents will be in 'domain' folder whereas 'sysvol' acts as a fake folder where you
could browse as a normal folder.

Sysvol is the folder where you end up when you access \\domain name\SYSVOL
or \\DC name\SYSVOL. This folder contains Policies, scripts & StarterGPOs folders.

22

Policies folder contains all the group policy objects in the domain. For every new
GPOs, a new folder with unique GUID will be created in this folder. These are
called Group Policy Templates (GPT). If you make any changes to a particular
group policy, the changes are made in this folder. Scripts folder contains all
scripts used.

Now comes the staging folder and staging areas.

Staging folder acts like a queue for changed files and folders which needs to be
replicated to other sysvols in the domain. This change will be normally due to
some group policy changes. In short, the folder will be empty if there are no group
policy updates. Once the update is replicated the contents in this folder will be
deleted as well.
Active Directory Recycle Bin
This is a new feature of Windows 2008 R2 which is disabled by default. This feature will be
available only if your forest functional level is Windows 2008 R2 and above. Once you
enable this feature, it cannot be disabled.
How to enable?
There is no GUI to enable AD recycle bin
Open powershell execute the below:
Import-Module ActiveDirectory
23

 Enable-ADOptionalFeature -Identity "Recycle Bin Feature" -Scope

ForestOrConfigurationSet -Target "globomantics.local" -whatif

What makes AD Recycle Bin special ?

Normal Deletion process : An object is deleted, it is moved to Deleted Objects container
after changing the object attribute IsDeleted to True (Tombstoning). Most of the attributes
of the object will be striped off at this point. The striped off object could be retained
during TSL and will be deleted permanently after TSL.
AD Recycle Bin process : All the above process stands correct for AD recycle bin as well but
except the attribute striping. When an AD object is deleted with recycle bin enabled, the
system preserves all of the object's attributes.
In short, if you want the attributes of the deleted objects to be available after tombstone
reanimation, enable AD recycle Bin.
AD Recycle Bin process
An object has been removed from AD and it is now 'logically deleted' from AD
The deleted object is moved to Deleted Objects container and will remain in the
container throughout the duration of the Deleted object lifetime. Within this period
the object can be recovered using AD recycle bin or authoritative restore
After the deleted object lifetime period, the logically deleted object will become
recycled object (which is same as a Tombstoned object).
The recycled object will remain in Deleted Container until the Recycled object
lifetime expires after which the object will be physically deleted with the help of
garbage collection process.
Active Directory Tombstone
When an object is removed from Active Directory, it is said to be tombstoned. Tombstone is
something which a Domain Controller uses to notify other Domain Controllers about an
object deletion.
The object which is tombstoned will be retained in AD for a specific amount of time defined
by the TombStone Lifetime (TSL). When an object is tombstoned, the object is moved to a
special container named Deleted Objects and will be invisible to normal directory
operations.
Within the TSL, the object can be retreived anytime which is called as Tombstone
24

reanimation. But the retrieved object will lose some of its properties like its group
membership details.
After TSL, the garbage collection process which runs every 12 hours deletes the object
permanently from Active Directory
Find TSL for your domain
1. Open adsiedit.msc
2. Select Configuration partition
3. Right click CN=Directory Service and select Properties
4. In the Attribute column look for tombstoneLifetime value
This value will be the TSL for your domain. If the value is <Not Set>, the TSL will be the
default value for that server class.
Default TSL
Windows
Windows
Windows
Windows

2000
- 60 days
2003 SP1
- 180 days
2003 R2
- 60 days
2008 and above - 180 days

AD REPLICATION
Intrasite replication replicates changes made in one DC to all other DCs in the same site.
AD replications are generally pull operations. For example (A site with two DCs : DC1 &
DC2) , If a change is made on DC1 then DC1 will inform DC2 about the change.
After this notification, the DC2 will pull the changes from the DC1 thereby making its AD
data up to date.
Replication interval
When a DC write a change to its local copy of the AD, a timer is started that determines
when the DC's replication partner should be notified of the change. By default, this interval
is 15 seconds in Windows 2003 and later.
Active Directory Partitions
Active Directory database is divided into partitions or naming contexts (NC):
Schema NC - This contains schema details and this will be replicated to each DC in the
forest.
Configuration NC - This contains forest wide configuration information and this will
be replicated to each DC in the forest
25

Domain NC - This contains most commonly accessed AD data and this will be replicated to
each DC in the domain
Each of these NCs are replicated separately to the DCs.
There are two kind of write operations that AD need to replicate:
Orginating write : Any change made on a DC is an orginating write for that DC
Replicated write : Any change which came as part of replication is a replicated write
AD changes are managed through several Replication metadata:
Update Sequence Number (USN)
Each DC maintains a USN which is specific to that DC. Any change made in the DC
(orginated write) or replicated to DC (replicated write) will be followed by a USN
increment. The USN numbers of DCs in the same domain need not be same therefore the
USN of one DC has no meaning to any other DCs in terms of comparing one change to
another.
For Eg: Current USN value of DC1 is 3000 and DC2 is 4000. Suppose a change is made on
DC1, its USN will be incremented to 3001. DC1 will notify DC2 about the change and will
pull the new change. When the change is pulled, DC2 will increment its value to 4001.
High watermark vector (HWMV)
USN is only a method to track the changes made on the DC. But each DC needs a way to
keep track the changes that have already been replicated, otherwise each DC would be
sending the entire Active Directory database across the wire at every replication.
To prevent this, each Active Directory DC maintains a value called the High WaterMark
Vector (HWMV) for other domain controllers that it is replicating with. Each DC will
associate this high watermark vector with the Globally Unique Identifier (GUID) of the
remote DC, to prevent any confusion if a remote domain controller is renamed or removed
from the directory.
Let us discuss some replication scenarios here:
Scenario 1:
2 Domain controllers
USN of DC1 = 3000
USN of DC2 = 4500
A new object is created in DC1, the USN gets incremented to 3001.

26

 DC1 notifies DC2 about the new change. DC2 replies back with the HWMV value of
DC1 in DC2

DC1 compares the HWMV value and understands that DC2 is not updated with the
change 3001. DC1 sends this change to DC2 and DC2 will commit the change and
update its local USN

The above scenario looks fine in a 2 DC scenario but could create severe replication loops in
3 or more DC scenario.
Up-to-dateness Vector (UTDV)
If a change is made in DC1 then the change is replicated to DC2 and DC3. When this change
is received in DC2, it will inform DC1 and DC3 about the same change and will end up in a
loop.
In order to avoid this situation another metadata is stored by the DC called the Up To
Dateness Vector (UTDV).
UTDV stores the highest orginating update USN the local DC has received from other
DCs. Every DC keeps a HWMV table and UTDV for each AD partition to store the latest USN
27

of its replication partners. Whenever DC1 contacts DC2 for replication, DC2 will send the
HWMV of DC1 in DC2 along with highest orginating USN that DC2 have in its UTDV table.
Scenario 2
3 Domain controllers
USN of DC1 = 3001
USN of DC2 = 4501
USN of DC3 = 7000
Suppose a change is made in DC3 which increments the USN of DC3 to 7001. DC3
informs this change to DC1 and DC2

Now starts the role of UTDV. DC2 notifies DC1 about the new change it received from
DC3. DC1 then replies DC2 with the HWMV of DC2 in DC1 along with highest
orginating USN DC1 have in its UTDV table (Here 7002 DC1 received from DC3).

DC2 compares HWMV and understands that its HWMV in DC1 is outdated. Therefore it
takes all corresponding transactions for the missing USN.

28

 But when it takes the missing transaction, after comparing the UTDV it received from
DC1 and the orginating USN of the change in DC2, DC2 understands that the change
need not be replicated to DC1.
KCC (Knowledge consistency checker) is responsible for generating site
replication toplolgies between domain controllers. KCC runs in each DC of a
domain and creates a
connection object for each DC in AD. It is responsible for all intra-site replication.
In case of an inter-site scenario, there will be a bridge-head server to manage sitesite replication. Here, the connection objects for the bridge-head servers are
created in a seperate way. ISTG (Inter-Site Topology Generator) is responsible
for creating connection objects in bridge-head servers. ISTG is nothing but a KCC
server(DC), which is responsible for reviewing the inter-site topology and creating
inbound replication connection objects as necessary for bridgehead servers in the
site in which it resides.The domain controller holding this role may not necessarily
also be a bridgehead server.
Scenario
I've an environment with Windows 2003 & Windows 2008 servers in Windows 2000 Native mode.
If I try to add any AD group in a folder security group of a Windows 2008 server, the AD group name
won't get resolved.
i.e, ultimately you will fail to set folder permissions to these AD groups. But when I try to do the same
from Windows 2003 server, it gets added.
Resolution
In Windows 2000 Native mode, Windows 2008 server cannot set folder permissions to AD group.
In order to resolve this issue, raise the domain functional level to Windows 2003 server or higher
considering the domain controllers in the domain

Enable replication - tombstone lifetime exceeded

Step 1
Run the repadmin /showrepl command on the domain controller that received
the error to determine which domain controller has been disconnected for longer
than a tombstone lifetime.
Step 2
Modifying the registry
1. Click Start, click Run, type regedit, and then click OK.
29

2. Navigate
to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Para
meters
3. In the details pane, create or edit the registry entry as follows:
If the registry entry exists in the details pane, modify the entry as follows:
a. In the details pane, right-click Allow Replication With Divergent and
Corrupt Partner, and then click Modify.
b. In the Value data box, type 1, and then click OK.
If the registry entry does not exist, create the entry as follows:
a. Right-click Parameters, click New, and then click DWORD Value.
b. Type the name Allow Replication With Divergent and Corrupt Partner,
and then press ENTER.
c. Double-click the entry. In the Value data box, type 1, and then click OK.

Active Directory Backup and Restore in Windows 2008

aking backup
1. Open command prompt and execute wbadmin start systemstatebackup
-backuptarget:e:\
- In Windows 2008, need to install the Windows server backup feature, as it is not
installed by default.
2. Confirm that the backup is successful using the command wbadmin get
versions
Restoration
1. Restart the server in Directory Service Restore Mode (DSRM)
2. Get the version ID of the available backup using wbadmin get versions
3. Run the restoration using the command wbadmin start
systemstaterecovery -version:versionID"
Making the Restoration Authoritative
1. At a command prompt, type ntdsutil, and then press ENTER.
2. Type authoritative restore, and then press ENTER.
3. You will be prompted as "Active Instance not set. To set an active instance use
"Activate Instance ".
4. Type activate instance ntds and then press ENTER
5. Then type the command restore subtree dc=Domain_Name,dc=xxx
and then press ENTER:
Note: In windows 2008, Restore database command is not supported as it may
cause some serious problems.
30

Active Directory Global Catalog Server

Global catalog (GC) is a role handled by domain controllers in an Active directory model.
The global catalog stores a full copy of all objects in the directory for its host domain
and a partial copy of all objects for all other domains in the forest.
Partial copy refers to the set of attributes that are most used for searching every
object in every domain.
All domain controllers can be promoted as a GC.
GC helps in faster search of AD objects.
The replicas that are replicated to the global catalog also include the access
permissions for each object and attribute.
If you are searching for an object that you do not have permission to access, you do
not see the object in the list of search results. Users can find only objects to which
they are allowed access.
Global catalog server clients depend on DNS to provide the IP address of global
catalog servers. DNS is required to advertise global catalog servers for domain
controller location.
By default, first DC of in a forest will be a global catalog server
FSMO - Expansion and its relevance

FSMO is the short representation of Flexible Single Master Operations. Each of

these word has its own significance. Operation Master is a set of roles which
handles a separate operation. So why Flexible & Single used?

Single is used since each role works independently on a Single DC. Since these
operations master roles can be moved across the DCs, it is called Flexible and
thats why the name Flexible Single Master Operations. The terms Operations
Master, Single Master Operation are also used interchangeably for FSMO.

FSMO roles need not be installed separately. It will be installed automatically

during the domain creation. And by default, it will be available in the first DC of
the forest. All the roles can be moved to any DC in the forest. But there are some
criterias for this which will be explained later.
31

FSMO Roles

There are 5 FSMO roles. These roles can be classified as Forest wide role and
Domain wide role.
Forest wide roles: -

Schema Master
Domain Naming Master
There will be only one Schema Master and Domain Naming Master across the
forest.
Domain wide roles:
Infrastructure Master
PDC Emulator
RID Master
These roles are domain specific and has to be there for each domain.
Schema Master
This role manages the schema of the forest.
Any updates or modifications to the existing schema will be managed by
this role.
Not dependent on Global Catalog server
Since this role is not used often once domains are setup, it is fine to place
this role in a DC which does not have much of processing capability
Since schema master role is required as long as the forest exists, it is
recommended to place this role in the root domain.
If Schema Master is down ?
No impact on the domain. Domain will work as usual.
But if the admin tries to perform any schema related change, error will
32

occur.
Domain Naming Master
Manages the addition and removal of domains in a forest.
It is recommended to make a DC with Domain Naming Master a Global
Catalog server
Since this role is not used often once domains are setup, it is fine to place
this role in a DC which does not have much of processing capability
Since Domain Naming Master role is required as long as the forest exists, it
is recommended to place this role in the root domain.
If Domain Naming Master role is down?
No impact on the domain. The work of the domain will continue as always.
New domains cannot be added. Existing domains cannot be deleted.
Infrastructure Master
When an object in one domain is referenced in another domain, it
represents the reference by the GUID, SID and the DN of the object being
referenced (Phantom Object).
Responsible in updating this cross domain references
Plays an important role when there are multiple domains. But no relevance
when it is a single domain environment.
Do not hold Infrastructure Master role in a DC holding Global Catalog role
unless all the DCs in the environment holds the GC role.
If infrastructure master role is down?
No impact in a single domain environment.
If there are multiple domains, any change in an object which is referenced
by another object in another domain will not be reflected.
Why Infrastructure Master should not be a GC ?

PDC Emualtor

33

 Gives backward compatibility with legacy systems such as Windows NT

Responsible for handling password changes in a domain
Manages account lock out. Whenever authentication fails a lock out counter
will be incremented by the PDC.
Responsible for keeping domain time in sync. DC holding this role will be the
most credible and authoritative time server in the domain.
Responsible in updating group policy
It is always better to hold DC which connects the most number of users a
PDC emulator as user login often need to contact this DC for authenticating.
If PDC Emulator is down?
Users will not be able to change password
Can lead to unsynced time which can lead to logon failures
Group policy update issues
RID Master

RID master is responsible in allocating the RIDs to the DCs

Each object will have an SID which is a combination of Domain SID and RID
Initially, each DC will have a pool of 500 RIDs
Once the RIDs allocated to a DC gets drained, the DC contacts the RID
master for a new pool of RIDs

If RID master is down?

Not of much impact if the DCs have enough RIDs available in its pool
New objects will not be created if RIDs gets drained

Why Infrastructure Master should not be a Global Catalog server?

Infrastructure Master role is responsible for managing any cross domain references.
When we discuss about cross domain references, its essential to discuss about Phantom
objects.
An AD group is something which can hold members of its own domain and groups from
other domain(Eg: Global group and Universal group). For a group in one domain to
contain members from another domain, a pointer or cross-domain reference is required.
This cross-domain reference is called a Phantom object.
The phantom object needs to be updated regularly. Each DC is responsible for updating

34

its own phantom objects. For all DCs in the domain, this task is done by the DC holding
the Infrastructure Master (IM) role. But except for DCs holding GC role as it doesnt
require the cross reference since it already holds a partial replica of all objects in the
forest. Phantom object will have the GUID, Distinguished Name(DN) and SID of the
object which is being referenced.
Process of updating Phantom objects
Suppose an object X in Domain A is referred in another Domain B. When a change is
made to X, the below activities take place.

Change is made to X (say, it is changed to another OU in the same domain A)

GC of Domain A gets updated instantly
Since GC of domain B holds a partial replica of all other domains of the same
forest, this update will be marked in the GC of domain B.
The Infrastructure Master (IM) always checks the Phantom objects in its own
domain partition against the GC
Since GC of domain B is updated with the new change, the IM finds that the
domain partition it holds is outdated and hence it updates its own domain
partition and then updates the Phantom object
Now what happens if IM is on a GC ?
The domain partition of the IM will be always up to date since the server is a GC
Therefore the IM will not find any outdated objects in its own domain partition
and thereby not updating the phantom object
No impact if there is only domain in the forest
An IM can be on a GC when:
All the DCs in the domain are global catalog servers
If there is only one domain in the forest

The content of the system state backup includes:

35

Registry
COM+ Class Registration database
Boot files, including the system files
System files that are under Windows File Protection
Active Directory directory service (If it is domain controller)
SYSVOL directory (If it is domain controller)
Cluster service information (If it is a part of a cluster)
IIS Metadirectory (If it is an IIS server)
Certificate Services database (If it is a certificate server)

36