0% found this document useful (0 votes)
59 views

Windows Server

The document discusses several improvements and new features in Active Directory in Windows Server 2012 compared to earlier versions: - The Active Directory installation wizard allows viewing all steps and detailed results. - The Active Directory Administrative Center is better designed for configuring Exchange services and enabling the recycle bin functionality. - Fine-grained password policies can now be more easily implemented. - The Windows PowerShell history viewer allows viewing commands related to actions in the Active Directory Administrative Center.

Uploaded by

ram
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
59 views

Windows Server

The document discusses several improvements and new features in Active Directory in Windows Server 2012 compared to earlier versions: - The Active Directory installation wizard allows viewing all steps and detailed results. - The Active Directory Administrative Center is better designed for configuring Exchange services and enabling the recycle bin functionality. - Fine-grained password policies can now be more easily implemented. - The Windows PowerShell history viewer allows viewing commands related to actions in the Active Directory Administrative Center.

Uploaded by

ram
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 21

 ain Controller Promoter) with improved wizard: It allows you to view

all the steps and review the detailed results during the installation
process
 Enhanced Administrative Center: Compared to the earlier version of
active directory, the administrative center is well designed in Windows
2012. The exchange management console is well designed
 Recycle bin goes GUI: In windows server 12, there are now many ways
to enable the active directory recycle bin through the GUI in the Active
Directory Administrative Center, which was not possible with the earlier
version
 Fine grained password policies (FGPP): In windows server 12
implementing FGPP is much easier compared to an earlier  It allows you
to create different password policies in the same domain
 Windows Power Shell History Viewer: You can view the
Windows PowerShell commands that relates to the actions you execute
in the Active Directory Administrative Center UI

3) Mention which is the default protocol used in directory services?

The default protocol used in directory services is LDAP ( Lightweight Directory


Access Protocol).

4) Explain the term FOREST in AD?

Forest is used to define an assembly of AD domains that share a single schema


for the AD.  All DC’s in the forest share this schema and is replicated in a
hierarchical fashion among them.

5) Explain what is SYSVOL?

The SysVOL folder keeps the server’s copy of the domain’s public files.  The
contents such as users, group policy, etc. of the sysvol folders are replicated to
all domain controllers in the domain.

6) Mention what is the difference between domain admin groups and


enterprise admins group in AD?

nterprise Admin Group              Domain Admin Group


  Members of this group have
 Members of this group have
complete control of the domain
complete control of all domains in the
 By default, this group is a member of
forest
the administrators group on all
 By default, this group belongs to the
domain controllers, workstations and
administrators group on all domain
member servers at the time they are
controllers in the forest
linked to the domain
 As such this group has full control of
 As such the group has full control in
the forest, add users with caution
the domain, add users with caution

7) Mention what system state data contains?

System state data contains

 Contains startup files


 Registry
 Com + Registration Database
 Memory page file
 System files
 AD information
 SYSVOL Folder
 Cluster service information

8) Mention what is Kerberos?

Kerberos is an authentication protocol for network.  It is built to offer strong


authentication for server/client applications by using secret-key cryptography.

9) Explain where does the AD database is held? What other folders are
related to AD?

AD database is saved in %systemroot%/ntds. In the same folder, you can also


see other files; these are the main files controlling the AD structures they are
 dit
 log
 res 1.log
 log
 chk

10) Mention what is PDC emulator and how would one know whether
PDC emulator is working or not?

PDC Emulators: There is one PDC emulator per domain, and when there is a
failed authentication attempt, it is forwarded to PDC emulator.  It acts as a
“tie-breaker” and it controls the time sync across the domain.

These are the parameters through which we can know whether PDC emulator
is working or not.

 Time is not syncing


 User’s accounts are not locked out
 Windows NT BDCs are not getting updates
 If pre-windows 2000 computers are unable to change their passwords

11) Mention what are lingering objects?

Lingering objects can exists if a domain controller does not replicate for an
interval of time that is longer than the tombstone lifetime (TSL).

12) Mention what is TOMBSTONE lifetime?

Tombstone lifetime in an Active Directory determines how long a deleted


object is retained in Active Directory.  The deleted objects in Active Directory is
stored in a special object referred as TOMBSTONE.  Usually, windows will use a
60- day tombstone lifetime if time is not set in the forest configuration.

13) Explain what is Active Directory Schema?

Schema is an active directory component describes all the attributes and


objects that the directory service uses to store data.

14) Explain what is a child DC?

CDC or child DC is a sub domain controller under root domain controller


which share name space
15) Explain what is RID Master?

RID master stands for Relative Identifier for assigning unique IDs to the object
created in AD.

16) Mention what are the components of AD?

Components of AD includes

 Logical Structure: Trees, Forest, Domains and OU


 Physical Structures: Domain controller and Sites

17) Explain what is Infrastructure Master?

Infrastructure Master is accountable for updating information about the user


and group and global catalogue.

1. Question 1. Mention What Is Active Directory?


Answer :
An active directory is a directory structure used on Micro-soft Windows based
servers and computers to store data and information about networks and
domains.
2. Question 2. What Is Domains In Active Directory?
Answer :
In Windows 2000, a domain defines both an administrative boundary and a
security boundary for a collection of objects that are relevant to a specific group
of users on a network. A domain is an administrative boundary because
administrative privileges do not extend to other domains. It is a security boundary
because each domain has a security policy that extends to all security accounts
within the domain. Active Directory stores information about objects in one or
more domains.
Domains can be organized into parent-child relationships to form a hierarchy. A
parent domain is the domain directly superior in the hierarchy to one or more
subordinate, or child, domains. A child domain also can be the parent of one or
more child domains.
System Administration Interview Questions
3. Question 3. Mention Which Is The Default Protocol Used In Directory
Services?
Answer :
The default protocol used in directory services is LDAP ( Lightweight Directory
Access Protocol).
1. Question 4. What Is Mixed Mode?
Answer :
Allows domain controllers running both Windows 2000 and earlier versions of
Windows NT to co-exist in the domain. In mixed mode, the domain features from
previous versions of Windows NT Server are still enabled, while some Windows
2000 features are disabled. Windows 2000 Server domains are installed in mixed
mode by default. In mixed mode the domain may have Windows NT 4.0 backup
domain controllers present. Nested groups are not supported in mixed mode.
1. Question 5. Explain The Term Forest In Ad?
Answer :
Forest is used to define an assembly of AD domains that share a single schema
for the AD. All DC’s in the forest share this schema and is replicated in a
hierarchical fashion among them.
1. Question 6. What Is Native Mode?
Answer :
When all the domain controllers in a given domain are running Windows 2000
Server. This mode allows organizations to take advantage of new Active Directory
features such as Universal groups, nested group membership, and inter-domain
group membership.

1. Question 7. Explain What Is Sysvol?


Answer :
The SysVOL folder keeps the server’s copy of the domain’s public files. The
contents such as users, group policy, etc. of the sysvol folders are replicated to all
domain controllers in the domain.
1. Question 8. What Is Ldap?
Answer :
LDAP is the directory service protocol that is used to query and update AD. LDAP
naming paths are used to access AD objects and include the following:
o Distinguished names
o Relative Distinguished names
2. Question 9. Mention What Is Kerberos?
Answer :
Kerberos is an authentication protocol for network. It is built to offer strong
authentication for server/client applications by using secret-key cryptography.
1. Question 10. Minimum Requirement For Installing Ad?
Answer :
o Windows Server, Advanced Server, Datacenter Server
o Minimum Disk space of 200MB for AD and 50MB for log files
o NTFS partition
o TCP/IP Installed and Configured to use DNS
o Administrative privilege for creating a domain in existing network
2. Question 11. Mention What Are Lingering Objects?
Answer :
Lingering objects can exists if a domain controller does not replicate for an
interval of time that is longer than the tombstone lifetime (TSL).
1. Question 12. What Is Domain Controller?
Answer :
In an Active directory forest, the domain controller is a server that contains a
writable copy of the Active Directory Database participates in Active directory
replication and controls access to network resource.
1. Question 13. Mention What Is Tombstone Lifetime?
Answer :
Tombstone lifetime in an Active Directory determines how long a deleted object is
retained in Active Directory. The deleted objects in Active Directory is stored in a
special object referred as TOMBSTONE. Usually, windows will use a 60- day
tombstone lifetime if time is not set in the forest configuration.
2. Question 14. Why We Need Netlogon?
Answer :
Maintains a secure channel between this computer and the domain controller for
authenticating users and services. If this service is stopped, the computer may
not authenticate users and services, and the domain controller cannot register
DNS records."
1. Question 15. Explain What Is Active Directory Schema?
Answer :
Schema is an active directory component describes all the attributes and objects
that the directory service uses to store data.
2. Question 16. What Is Dns Scavenging?
Answer :
Scavenging will help you clean up old unused records in DNS.
1. Question 17. Explain What Is A Child Dc?
Answer :
CDC or child DC is a sub domain controller under root domain controller which
share name space
2. Question 18. What Is New In Windows Server 2008 Active Directory Domain
Services?
Answer :
AD Domain Services auditing, Fine-Grained Password Policies,Read-Only Domain
Controllers,Restartable Active Directory Domain Services
1. Question 19. Explain What Is Rid Master?
Answer :
RID master stands for Relative Identifier for assigning unique IDs to the object
created in AD.
2. Question 20. Explain What Are Rodcs? And What Are The Major Benefits Of
Using Rodcs?
Answer :
Read only Domain Controller, organizations can easily deploy a domain controller
in locations where physical security cannot be guaranteed.
1. Question 21. Mention What Are The Components Of Ad?
Answer :
Components of AD includes
Logical Structure: Trees, Forest, Domains and OU.
Physical Structures: Domain controller and Sites.
2. Question 22. What Is The Number Of Permitted Unsuccessful Log Ons On
Administrator Account?
Answer :
Unlimited. Remember, though, that it’s the Administrator account, not any account
that’s part of the Administrators group.
1. Question 23. Explain What Is Infrastructure Master?
Answer :
Infrastructure Master is accountable for updating information about the user and
group and global catalogue.
2. Question 24. What Hidden Shares Exist On Windows Server 2003
Installation?
Answer :
Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.
1. Question 25. Can You Connect Active Directory To Other 3rd-party
Directory Services? Name A Few Options?
Answer :
Yes you can Connect Active Directory to other 3rd -party Directory Services such
as dictionaries used by SAP, Domino etc with the help of MIIS (Microsoft Identity
Integration Server).
2. Question 26. What Is The List Folder Contents Permission On The Folder In
Ntfs?
Answer :
Same as Read & Execute, but not inherited by files within a folder. However, newly
created subfolders will inherit this permission.
1. Question 27. How Do I Set Up Dns For Other Dcs In The Domain That Are
Running Dns?
Answer :
For each additional DC that is running DNS, the preferred DNS setting is the parent
DNS server (first DC in the domain), and the alternate DNS setting is the actual IP
address of network interface.
1. Question 28. Where Is Gpt Stored?
Answer :
%SystemRoot%SYSVOLsysvoldomainnamePoliciesGUID
2. Question 29. Tell Me What Should I Do If The Dc Points To Itself For Dns,
But The Srv Records Still Do Not Appear In The Zone?
Answer :
Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install
Support Tools from the Windows 2000 Server CD-ROM to run Netdiag.exe.
3. Question 30. Abbreviate Gpt And Gpc?
Answer :
GPT : Group policy template.
GPC : Group policy container.
4. Question 31. Tell Me What If My Windows 2000 Or Windows Server 2003
Dns Server Is Behind A Proxy Server Or Firewall?
Answer :
If you are able to query the ISP's DNS servers from behind the proxy server or
firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the
root hint servers. UDP and TCP Port 53 should be open on the proxy server or
firewall.
5. Question 32. Explain What Is The Difference Between Local, Global And
Universal Groups?
Answer :
Domain local groups assign access permissions to global domain groups for
local domain resources. Global groups provide access to resources in other
trusted domains. Universal groups grant access to resources in all trusted
domains.
6. Question 33. Do You Know What Is The "." Zone In My Forward Lookup
Zone?
Answer :
This setting designates the Windows 2000 DNS server to be a root hint server and
is usually deleted. If you do not delete this setting, you may not be able to perform
external name resolution to the root hint servers on the Internet.
1. Question 34. Define Lsdou?
Answer :
It’s group policy inheritance model, where the policies are applied to Local
machines, Sites, Domains and Organizational Units
2. Question 35. Define Attribute Value?
Answer :
An object's attribute is set concurrently to one value at one master, and another
value at a second master.
3. Question 36. What Is Netdom?
Answer :
NETDOM is a command-line tool that allows management of Windows domains
and trust relationships
4. Question 37. Do You Know How Kerberos V5 Works?
Answer :
The Kerberos V5 authentication mechanism issues tickets (A set of identification
data for a security principle, issued by a DC for purposes of user authentication.
Two forms of tickets in Windows 2000 are ticket-granting tickets (TGTs) and
service tickets) for accessing network services. These tickets contain encrypted
data, including an encrypted password, which confirms the user's identity to the
requested service.
5. Question 38. What Is Adsiedit?
Answer :
ADSI Edit is an LDAP editor for managing objects in Active Directory. This Active
Directory tool lets you view objects and attributes that are not exposed in the
Active Directory Management Console.
6. Question 39. What Is Kerberos V5 Authentication Process?
Answer :
Kerberos V5 is the primary security protocol for authentication within a domain.
The Kerberos V5 protocol verifies both the identity of the user and network
services. This dual verification is known as mutual authentication.
7. Question 40. Define The Schema Master Failure?
Answer :
Temporary loss of the schema operations master will be visible only if we are
trying to modify the schema or install an application that modifies the schema
during installation. A DC whose schema master role has been seized must never
be brought back online.
8. Question 41. What Is Replmon?
Answer :
Replmon is the first tool you should use when troubleshooting Active Directory
replication issues
9. Question 42. How To Find Fsmo Roles?
Answer :
Netdom query fsmo OR Replmon.exe
10. Question 43. Describe The Infrastructure Fsmo Role?
Answer :
When an object in one domain is referenced by another object in another domain,
it represents the reference by the GUID, the SID (for references to security
principals), and the DN of the object being referenced. The infrastructure FSMO
role holder is the DC responsible for updating an object's SID and distinguished
name in a cross-domain object reference.
11. Question 44. What Are The Advantages Of Active Directory Sites?
Answer :
Active Directory Sites and Services allow you to specify site information. Active
Directory uses this information to determine how best to use available network
resources.
12. Question 45. Define Edb.chk?
Answer :
This is the checkpoint file used to track the data not yet written to database file.
This indicates the starting point from which data is to be recovered from the log
file, in case of failure.
13. Question 46. Define Edb.log?
Answer :
This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to
EDBnnnn.log. Where nnnn is the increasing number starting from 1.
14. Question 47. How To View All The Gcs In The Forest?
Answer :
repadmin.exe /options * and use IS_GC for current domain options.
nltest /dsgetdc:corp /GC
15. Question 48. How To Seize Fsmo Roles?
Answer :
ntdsutil - type roles - connections - connect servername - q - type seize role - at the
fsmo maintenance prompt - type seize rid master
16. Question 49. How To Transfer Fsmo Roles?
Answer :
ntdsutil - type roles - connections - connect servername - q - type transfer role - at
the fsmo maintenance prompt - type trasfer rid master
17. Question 50. What Is The Kcc (knowledge Consistency Checker)?
Answer :
The KCC generates and maintains the replication topology for replication within
sites and between sites. KCC runs every 15 minutes.
18. Question 51. What Is Schema Information In Active Directory?
Answer :
Definitional details about objects and attributes that one CAN store in the AD.
Replicates to all DCs. Static in nature.
19. Question 52. What Is Online Defragmentation In Active Directory?
Answer :
Online Defragmentation method that runs as part of the garbage collection
process. The only advantage to this method is that the server does not need to be
taken offline for it to run. However, this method does not shrink the Active
Directory database file (Ntds.dit).
20. Question 53. What Is Ads Database Garbage Collection Process?
Answer :
Garbage Collection is a process that is designed to free space within the Active
Directory database. This process runs independently on every DC with a default
lifetime interval of 12 hours.
21. Question 54. Define Res1.log And Res2.log?
Answer :
This is reserved transaction log files of 20 MB (10 MB each) which provides the
transaction log files enough room to shutdown if the other spaces are being used.
22. Question 55. What Is Domain Information In Active Directory?
Answer :
Object information for a domain. Replicates to all DCs within a domain. The object
portion becomes part of GC. The attribute values only replicates within the
domain.
23. Question 56. What Is Lightweight Directory Access Protocol?
Answer :
LDAP is the directory service protocol that is used to query and update AD. LDAP
naming paths are used to access AD objects and include the following:
o Distinguished names
o Relative Distinguished names
24. Question 57. How Will You Verify Whether The Ad Installation Is Proper
With Srv Resource Records?
Answer :
Verify SRV Resource Records: After AD is installed, the DC will register SRV
records in DNS when it restarts. We can check this using DNS MMC or nslookup
command.
25. Question 58. What Is Ntds.dit?
Answer :
This is the AD database and stores all AD objects. Default location is SystemRoot
%ntdsNTDS.DIT.
Active Directory's database engine is the Extensible Storage Engine which is
based on the Jet database and can grow up to 16 TB.
26. Question 59. What Is Ntds.dit Schema Table?
Answer :
The types of objects that can be created in the Active Directory, relationships
between them, and the attributes on each type of object. This table is fairly static
and much smaller than the data table.
27. Question 60. Mention What Is The Difference Between Domain Admin
Groups And Enterprise Admins Group In Ad?
Answer :
Enterprise Admin Group :
Members of this group have complete control of all domains in the forest By
default, this group belongs to the administrators group on all domain controllers
in the forest As such this group has full control of the forest, add users with
caution
Domain Admin Group :
Members of this group have complete control of the domain By default, this group
is a member of the administrators group on all domain controllers, workstations
and member servers at the time they are linked to the domain As such the group
has full control in the domain, add users with caution

1. Question 1. Why Should We Use Group Policy?


Answer :
o For deploying software
o We can apply security
o For controlling Users environment, settings, per computer settings
o To manage desktop environment (To standardize environment)
o To modify the registry
2. Question 2. What Is Group Policy Object?
Answer :
We call the actual unit that we are creating, deleting, managing, working with is
called Group Policy object.
Group Policy objects have two components:
o Group Policy container
o Group Policy template
3. Question 3. What Is Group Policy Container?
Answer :
It is the container in the Active Directory where the Group Policy can be applied.
(i.e., either Organizational unit or Domain or Site)
4. Question 4. What Is Group Policy Template?
Answer :
When you create a group policy container automatically a template will be created
in the hard drive, in sysvol folder of the Domain Controller that is called Group
Policy template.
1. Question 5. Where Is Group Policy Template Stored?
Answer :
Group Policy template stored in sysvol folder.
1. Question 6. How To Create A Group Policy?
Answer :
Start –>Programs –>Administrative tools ->Active Directory Users and computers
->Right click on the container on which you want to apply Group Policy->Select
properties-> Click on Group Policy tab->Click on New
1. Question 7. What Are The Steps Do We Have When We Are Creating Group
Policy?
Answer :
There are two steps, one is creating Group policy and linking to the container.
Generally we create the group policy at container only so when you click on New it
creates and links the GPO to that container at a time. Suppose if you want to link a
group policy object to a container which is already created click on Add select the
group policy.
1. Question 8. What Are The Buttons Available On Group Policy Tab In
Properties Of A Container?
Answer :
o New (Creates new GPO)
o Add (links a GPO to this container which has created already)
o Edit (Edits the existing GPO)
o Delete Deletes the GPO
o Options (here you get the following check boxes): (i) No override –
Prevent other GPO from overriding policy set in this one; and(ii) Disabled
– This GPO is not applicable to this container
o Properties
Note: When you are deleting a GPO it asks two things:
o Remove the link from this list
o Remove the link and delete the GPO permanently
2. Question 9. What Is No Override Option In Gpo?
Answer :
Generally the policies set at one level will be overridden in other level, so if don’t
want to override this policy under the sub levels of this one you can set this.
Ex: If you set No override at Domain level then that GPO will be applied through
out the Domain, even though you have the same policy differently at OU level.
1. Question 10. What Is Block Inheritance Of Gpo And Where It Is?
Answer :
The Block inheritance GPO option blocks the group policies inheriting from the top
level, and takes effect of this present GPO.
Right click on the container –> click on Group Policy –ègo to properties >on the
bottom of the General tab you will find Block inheritance check box
Ex: If you select Block inheritance at OU level then no policy from the Domain
level, or Site level or local policy will not applied to this OU.
2. Question 11. You Have Set The No Override Option At Domain Level And
Block Inheritance At Ou Level. Which Policy Will Take Effect?
Answer :
If you have set both then No override wins over the Block inheritance. So No
override will take effect.
1. Question 12. What Are The Options That Are Available When You Click On
Option Button On General Tab?
Answer :
o General
o Disable computer configuration settings (The settings those are set
under computer configuration of this GPO will not take effect.)
o Disable user configuration settings (The settings those are set under
User configuration of this GPO will not take effect.)
o Links (Displays the containers which have links to this GPO)
o Security (With security option you can set level of permissions and
settings to the individual users and groups. Ex: If you want to disable this
GPO to a particular user on this container, on security tab select that
user and select the deny check box for apply the Group Policy. Then the
GPO will not take effect to that user even though he is in that container.)
2. Question 13. What Will You See In The Group Policy Snap In?
Answer :
You will see two major portions, and under those you have sub portions, they
are:
o Computer Configuration
o Software settings
o Software installations
o Windows settings
o Administrative templates
o User configuration
o Software settings
o Software installations
o Windows settings
o Administrative templates
Note: Administrative templates are for modifying the registry of windows 2000
clients.
3. Question 14. What Is The Hierarchy Of Group Policy?
Answer :
o Local policy
o Site Policy
o Domain Policy
o OU Policy
o Sub OU Policy (If any are there)
4. Question 15. Who Can Create Site Level Group Policy?
Answer :
Enterprise Admin
1. Question 16. Who Can Create Domain Level Group Policy?
Answer :
Domain Admin
1. Question 17. Who Can Create Organizational Unit Lever Group Policy?
Answer :
Domain Admin
2. Question 18. Who Can Create Local Group Policy?
Answer :
Local Administrator or Domain Administrator
1. Question 19. What Is The Refresh Interval For Group Policy?
Answer :
Refresh interval for Domain Controllers is 5 minutes, and the refresh interval for all
other computers in the network is 45 minutes (this one doubt).
2. Question 20. Why Do We Need To Manage And Control Desktop
Environment?
Answer :
o To decrease support time
o Eliminate potential for problems
o One standard environment to support
o Eliminate distractions
o To increase productivity
3. Question 21. What Is Group Policy Loop Back Process? How To Set It?
Answer :
Start –>programs –>Administrative tools –>Active Directory users and computers
–>Right click on the container –>click on Group policy tab –>Click on edit –>click
on Computer settings –>click on Administrative templates –>system –>Group
policy –>click on User group policy loop back processing mode –> click OK –>
Select enable
4. Question 22. What Are The Players That Are Involved In Deploying
Software?
Answer :
o Group Policy: Within GP we specify that this software application
gets installed to this particular computer or to this particular user.
o Active Directory: Group Policy will be applied somewhere in Active
Directory.
o Microsoft Installer service
o Windows installer packages: The type of package that can be used by
Group Policy to deploy applications is .msi packages i.e., Microsoft
Installer packages.
5. Question 23. What Is The Package That Can Be Used To Deploy Software
Through Group Policy?
Answer :
Windows installer packages (.msi files)
6. Question 24. What Is Microsoft Installer Service?
Answer :
Microsoft Installer Service runs on the client machines in the Windows 2000
domain. It installs the minimum amount of an application, as you extend
functionality it installs the remaining part of application. It is responsible for
installing software in the client. It is also responsible for modifying, upgrading,
applying service packs.
1. Question 25. What Is Local Security Policy, Domain Security Policy, And
Domain Controller Security Policy In The Administrative Tools?
Answer :
o Local Security policy: This is group policy applied to local machine
o Domain Security Policy: Group Policy applied at domain level
o Domain Controller Security Policy: Group Policy applied at domain
controller level.
2. Question 26. What Are The Design Considerations For Group Policy?
Answer :
The following should be considered for designing group policies:
o Minimize linking: Because there may be a chance deleting the
original one with seeing who else are using this GPO. Minimizing linking
for simplicity.
o Minimum number of GPO’s: Microsoft suggests that one GPO with
100 settings will process faster than 100 GPO’s each with one setting.
This is for performance.
o Delegate
o Minimize filtering: To keep simple your environment, try to minimize
filtering.
If you have more number of GPO’s for a container, whatever GPO is on top will be
applied first. If you want, you can move GPO’s up and down.
If there is conflict between two GPO’s of same container, the last applied GPO will
be effective. i.e., the bottom one will be effective.
1. Question 27. What Is Group Policy In Active Directory ? What Are Group
Policy Objects (gpos)?
Answer :
Group Policy objects, other than the local Group Policy object, are virtual objects.
The policy setting information of a GPO is actually stored in two locations: the
Group Policy container and the Group Policy template.
The Group Policy container is an Active Directory container that stores GPO
properties, including information on version, GPO status, and a list of components
that have settings in the GPO.
The Group Policy template is a folder structure within the file system that stores
Administrative Template-based policies, security settings, script files, and
information regarding applications that are available for Group Policy Software
Installation.
The Group Policy template is located in the system volume folder (Sysvol) in the
Policies subfolder for its domain.
1. Question 28. What Is The Order In Which Gpos Are Applied ?
Answer :
Group Policy settings are processed in the following order:
1. Local Group Policy object : Each computer has exactly one Group
Policy object that is stored locally. This processes for both computer
and user Group Policy processing.
2. Site : Any GPOs that have been linked to the site that the computer
belongs to are processed next. Processing is in the order that is
specified by the administrator, on the Linked Group Policy Objects tab
for the site in Group Policy Management Console (GPMC). The GPO with
the lowest link order is processed last, and therefore has the highest
precedence.
3. Domain: Processing of multiple domain-linked GPOs is in the order
specified by the administrator, on the Linked Group Policy Objects tab
for the domain in GPMC. The GPO with the lowest link order is
processed last, and therefore has the highest precedence.
4. Organizational units : GPOs that are linked to the organizational unit
that is highest in the Active Directory hierarchy are processed first, then
POs that are linked to its child organizational unit, and so on. Finally, the
GPOs that are linked to the organizational unit that contains the user or
computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one,
many, or no GPOs can be linked. If several GPOs are linked to an organizational
unit, their processing is in the order that is specified by the administrator, on the
Linked Group Policy Objects tab for the organizational unit in GPMC.
The GPO with the lowest link order is processed last, and therefore has the
highest precedence.
This order means that the local GPO is processed first, and GPOs that are linked
to the organizational unit of which the computer or user is a direct member are
processed last, which overwrites settings in the earlier GPOs if there are conflicts.
(If there are no conflicts, then the earlier and later settings are merely
aggregated.)
o Question 29. How To Backup/restore Group Policy Objects ?
Answer :
1. Begin the process by logging on to a Windows Server 2008 domain
controller, and opening the Group Policy Management console. Now,
navigate through the console tree to Group Policy Management | Forest:
| Domains | | Group Policy Objects.
2. When you do, the details pane should display all of the group policy
objects that are associated with the domain. In Figure A there are only
two group policy objects, but in a production environment you may have
many more. The Group Policy Objects container stores all of the group
policy objects for the domain.
3. Now, right-click on the Group Policy Objects container, and choose
the Back Up All command from the shortcut menu. When you do,
Windows will open the Back Up Group Policy Object dialog box.
4. As you can see in Figure B, this dialog box requires you to provide the
path to which you want to store the backup files. You can either store the
backups in a dedicated folder on a local drive, or you can place them in a
folder on a mapped network drive. The dialog box also contains a
Description field that you can use to provide a description of the backup
that you are creating.
5. You must provide the path to which you want to store your backup of
the group policy objects.
6. To initiate the backup process, just click the Back Up button. When
the backup process completes, you should see a dialog box that tells
you how many group policy objects were successfully backed up. Click
OK to close the dialog box, and you’re all done.
7. When it comes to restoring a backup of any Group Policy Object, you
have two options. The first option is to right-click on the Group Policy
Object, and choose the Restore From Backup command from the
shortcut menu. When you do this, Windows will remove all of the
individual settings from the Group Policy Object, and then implement the
settings found in the backup.
8. Your other option is to right-click on the Group Policy Object you want
to restore, and choose the Import Settings option. This option works
more like a merge than a restore.
9. Any settings that presently reside within the Group Policy Object are
retained unless there is a contradictory settings within the file that is
being imported.
o Question 30. You Want To Standardize The Desktop Environments
(wallpaper, My Documents, Start Menu, Printers Etc.) On The Computers In One
Department. How Would You Do That?
Answer :
1. Go to Start->programs->Administrative tools->Active Directory Users
and Computers
2. Right Click on Domain->click on preoperties
3. On New windows Click on Group Policy
4. Select Default Policy->click on Edit
5. on group Policy console
6. go to User Configuration->Administrative Template->Start menu and
Taskbar.
7. Select each property you want to modify and do the same.
o Question 31. What Is The Difference Between Software Publishing
And Assigning?
Answer :
Assign Users :The software application is advertised when the user logs on. It is
installed when the user clicks on the software application icon via the start menu,
or accesses a file that has been associated with the software application.
Assign Computers :The software application is advertised and installed when it is
safe to do so, such as when the computer is next restarted.
Publish to users : The software application does not appear on the start menu or
desktop. This means the user may not know that the software is available. The
software application is made available via the Add/Remove Programs option in
control panel, or by clicking on a file that has been associated with the
application. Published applications do not reinstall themselves in the event of
accidental deletion, and it is not possible to publish to computers.
o Question 32. What Are Administrative Templates?
Answer :
Administrative Templates are a feature of Group Policy, a Microsoft technology
for centralised management of machines and users in an Active Directory
environment. Administrative Templates facilitate the management of registry-
based policy. An ADM file is used to describe both the user interface presented to
the Group Policy administrator and the registry keys that should be updated on
the target machines.
An ADM file is a text file with a specific syntax which describes both the interface
and the registry values which will be changed if the policy is enabled or disabled.
ADM files are consumed by the Group Policy Object Editor (GPEdit). Windows XP
Service Pack 2 shipped with five ADM files (system.adm, inetres.adm,
wmplayer.adm, conf.adm and wuau.adm). These are merged into a unified
“namespace” in GPEdit and presented to the administrator under the
Administrative Templates node (for both machine and user policy).
o Question 33. Can I Deploy Non-msi Software With Gpo?
Answer :
create the file in.zap extension.
1. Question 34. Name Some Gpo Settings In The Computer And User Parts ?
Answer :
Group Policy Object (GPO) computer=Computer Configuration, User=User
ConfigurationName some GPO settings in the computer and user parts.
2. Question 35. A User Claims He Did Not Receive A Gpo, Yet His User And
Computer Accounts Are In The Right Ou, And Everyone Else There Gets The Gpo.
What Will You Look For?
Answer :
make sure user not be member of loopback policy as in loopback policy it doesn’t
effect user settings only computer policy will applicable. if he is member of gpo
filter grp or not.
You may also want to check the computers event logs. If you find event ID 1085
then you may want to download the patch to fix this and reboot the computer.
3. Question 36. How Frequently Is The Client Policy Refreshed ?
Answer :
90 minutes give or take.
1. Question 37. Where Is Secedit ?
Answer :
It’s now gpupdate.
2. Question 38. What Can Be Restricted On Windows Server 2003 That Wasn’t
There In Previous Products ?
Answer :
Group Policy in Windows Server 2003 determines a users right to modify network
and dial-up TCP/IP properties. Users may be selectively restricted from modifying
their IP address and other network configuration parameters.
3. Question 39. You Want To Create A New Group Policy But Do Not Wish To
Inherit.
Answer :
Make sure you check Block inheritance among the options when creating the
policy.
4. Question 40. How Does The Group Policy ‘no Override’ And ‘block
Inheritance’ Work ?
Answer :
Group Policies can be applied at multiple levels (Sites, domains, organizational
Units) and multiple GP’s for each level. Obviously it may be that some policy
settings conflict hence the application order of Site – Domain – Organization Unit
and within each layer you set order for all defined policies but you may want to
force some polices to never be overridden (No Override) and you may want some
containers to not inherit settings from a parent container (Block Inheritance).
A good definition of each is as follows:
No Override – This prevents child containers from overriding policies set at higher
levels
Block Inheritance – Stops containers inheriting policies from parent containers
No Override takes precedence over Block Inheritance so if a child container has
Block Inheritance set but on the parent a group policy has No Override set then it
will get applied.
Also the highest No Override takes precedence over lower No Override’s set.
To block inheritance perform the following:
1. Start the Active Directory Users and Computer snap-in (Start –
Programs – Administrative Tools – Active Directory Users and
Computers)
2. Right click on the container you wish to stop inheriting settings from
its parent and select
3. Select the ‘Group Policy’ tab
4. Check the ‘Block Policy inheritance’ option
5. Click Apply then OK
To set a policy to never be overridden perform the following:
1. Start the Active Directory Users and Computer snap-in (Start – –
Administrative Tools – Active Directory Users and Computers)
2. Right click on the container you wish to set a Group Policy to not be
overridden and select Properties
3. Select the ‘Group Policy’ tab
4. Click Options
5. Check the ‘No Override’ option
6. Click OK
7. Click Apply then OK

You might also like