6/25/2015 System Administrator Interview Questions and Answers

data:text/html;charset=utf-8,%3Cdiv%20class%3D%22post-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A… 1/5

Labels: Active Directory

I want to look at the RID allocation table for a DC. What do I do?

In Command prompt type

C:\>dcdiag /test:ridmanager /s:<dcname> /v

Here dcname is the name of our DC

Read more »

Labels: Active Directory

What is the difference between LDIFDE and CSVDE? Usageconsiderations?

Ldifde creates, modifies, and deletes directory objects on computers running Windows Server 2003

operating systems or Windows XP Professional. You can also use Ldifde to extend the schema,

export Active Directory user and group information to other applications or services, and populate

Active Directory with data from other directory services.

Ldifde

Read more »

Labels: Active Directory

What are the DS* commands?

Microsoft included a set of command line tools with their server operating systems to allow better

and more productive management of the directory service. The DS Commands are these tools.

Simple commands with but a few parameters that can increase the productivity of Systems

Administrators and keep their Active Directory Domains running and in tip top shape.

How would you find all users that have not logged on since last month?

You can use DSQuery user command for this purpose. DS commands are used to retrieve

information from Active Directory through command line. To use DSQuery, you must run

6/25/2015 System Administrator Interview Questions and Answers

data:text/html;charset=utf-8,%3Cdiv%20class%3D%22post-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A… 2/5

Labels: Active Directory

theDSQuery command from an elevated command prompt. To open an elevated command prompt,

click Start, right-click Command Prompt, and then click Run as administrator.

C:\>dsquery user -inactive 4

"CN=Service User,OU=IT,DC=nishantsoft,DC=com"

"CN=IT JOURNAL,OU=Management,OU=Gurgaon,DC= nishantsoft,DC= com "

"CN=Dipak Khanna,OU=RC,OU=Gurgaon,DC= nishantsoft,DC= com "

"CN=Amit Mishra,OU=RC,OU=Gurgaon,DC= nishantsoft,DC= com "

"CN=Test Account,OU=Development,OU=Gurgaon,DC= nishantsoft,DC= com "

"CN=Jeevan Singh,OU=Development,OU=Gurgaon,DC= nishantsoft,DC= com "

Labels: Active Directory, L2

What do you do to install a new Windows 2003 R2 DC in a Windows2003 AD?

If you're installing Windows 2003 R2 on an existing Windows 2003 server with SP1 installed, you

require only the second R2 CD-ROM. Insert the second CD and the r2auto.exe will display the

Windows 2003 R2 Continue Setup screen.

If you're installing R2 on a domain controller (DC), you must first upgrade the schema to the R2

version (this is a minor change and mostly related to the new Dfs replication engine). To update the

schema, run the Adprep utility, which you'll find in the Cmpnents\r2\adprep folder on the second

CD-ROM. Before running this command, ensure all DCs are running Windows 2003 or Windows

2000 with SP2 (or later).

Labels: Active Directory

What do you do to install a new Windows 2003 DC in a Windows 2000AD?

Check that Windows 2000 Service Pack 4 installed on all the domain controllers and Exchange

Servers. If it is not already installed install it now, after that run the Adprep.exe utility on the

windows 2000 domain controllers currently holding the schema master and infrastructure master

roles. The adprep /forestprep command must first be issued on the windows 2000 server holding

schema master role in the forest root domain to prepare the existing schema to support windows

2003 active directory.

6/25/2015 System Administrator Interview Questions and Answers

data:text/html;charset=utf-8,%3Cdiv%20class%3D%22post-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A… 3/5

Labels: Active Directory

What is tombstone lifetime attribute?

The tombstone lifetime in an Active Directory forest determines how long a deleted object - aka

a‘tombstone’ - is retained in Active Directory. The tombstone lifetime is determined by the value of

the tombstoneLifetime attribute on the Directory Service object in the configuration directory

partition.

Tombstone Lifetime assists in removing objects from replicated servers and preventing restores

from reintroducing a deleted object. Actually when an object is deleted from Active Directory, it is

not physically removed from the Active Directory for some days. Instead, the Active Directory sets

the‘isDeleted’ attribute of the deleted object to TRUE and move it to a special container

called‘Tombstone’.

The default Tombstone Life time period is 60 days in Windows Server 2003

But the default Tombstone Lifetime period has been changed in Windows Server 2003

SP1 and later to 180 days.

The tombstone lifetime attribute remains same on all the domain controllers and it is deleted from

all the servers at the same time. This is because the expiration of a tombstone lifetime is based on

the time when an object was deleted logically from the Active Directory, rather than the time when

it is received as a tombstone on a server through replication.

Read more »

Labels: Active Directory, Group Policy

Name some OU design considerations.

The Group Policy architecture is flexible and allows for many types of design. The guiding principle

as you design your organizational unit structure should be to create a structure that is easy to

manage and troubleshoot.

Delegation of authority, separation of administrative duties, central versus distributed

administration, and design flexibility are important factors you'll need to consider when designing

Group Policy and selecting which scenarios to use for your organization.

What tool would I use to try to grab security related packets from thewire?

Network tap is best solution for grabbing data packet in a network. It is a hardware device which

provides a way to access the data flowing across a computer network. Computer networks,

including the Internet, are collections of devices, such as computers, routers, and switches that

are connected to each other.

Network taps are commonly used for security applications because they are non-obtrusive, are not

detectable on the network, can deal with full-duplex and non-shared networks, and will usually

6/25/2015 System Administrator Interview Questions and Answers

data:text/html;charset=utf-8,%3Cdiv%20class%3D%22post-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A… 4/5

Labels: Netw orking, Wintel

pass-through traffic even if the tap stops working or loses power.

Can I get user passwords from the AD database?

By default user account passwords are stored as password hash (Hash is based on one-way

encryption, which means you can’t reverse it to get plaintext). These hashes are stored in Active

Directory (C:\Windows\NTDS\ntds.dit file on DCs). If you need to get user password than you have

to change the way it is stored in AD. You have store passwords ciphered with reversible encryption

algorithm.

To enable this option globally:

1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers.

2. In the Active Directory Users and Computers window, right click on your domain and select

Properties.

3. In the Group Policy tab, select "Default Domain Policy" and click Edit.

4. In the Group Policy window, navigate to Password Policy in the left-panel Tree view: Computer

Configuration > Windows Settings > Security Settings > Account Policies > Password

Policy.

5. Right click on "Store password using reversible encryption for all users in the domain" and

select Security.

6. In the Security Policy Setting window, select the "Define this policy setting" checkbox and the

Enabled radio button. Click OK.

7. Close all applications and restart the computer, and log into your domain.

To enable this option for a specific user:

1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers.

2. In the Active Directory Users and Computers window, right-click on the user and select

Properties.

3. In the Account tab, check "Store password using reversible encryption." Click OK.

4. Close all applications and restart the computer, and log into your domain.

When this is enabled (per user or for the entire domain), Windows stores the password encrypted,

but in such a way that it can reverse the encryption and recover the plaintext password. This

feature exists because some authentication protocols require the plaintext password to function

correctly; the two most common examples are HTTP Digest Authentication and CHAP.

Niels Teusink have done great research on it

http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html

6/25/2015 System Administrator Interview Questions and Answers

data:text/html;charset=utf-8,%3Cdiv%20class%3D%22post-outer%22%20style%3D%22color%3A%20rgb(34%2C%2034%2C%2034)%3B%20font-family%3A… 5/5

http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html

He also developed a nice tool called “RevDump” to decipher this encrypted password.