Active Directory Interview Questions – Part 6

By | October 27, 2019

51. What Are Active Directory Functional Levels?
In Active Directory Domain Services (AD DS), domain controllers can run different versions of Windows Server operating systems. The functional level of a domain or forest depends on which versions of Windows Server operating systems are running on the domain controllers in the domain or forest. The functional level of a domain or forest controls which advanced features are available in the domain or forest.

Ideally, all servers in an organization could run the latest version of Windows and take advantage of all the advanced features that are available with the newest software. But organizations often have a mixture of systems, generally running different versions of operating systems, which are migrated to the latest version only as organizational requirements demand additional functionality, either for the entire organization or for a specific area of the organization.

AD DS supports phased implementation of new versions of Windows Server and advanced features on domain controllers by providing multiple functional levels, each of which is specific to the versions of Windows Server operating systems that are running on the domain controllers in the environment. These functional levels provide configuration support for the AD DS features and ensure compatibility with domain controllers running earlier versions of Windows Server.

AD DS does not automatically enable advanced features, even if all domain controllers within a forest are running the same version of Windows Server. Instead, an administrator raises a domain or forest to a specific functional level to safely enable advanced features when all domain controllers in the domain or forest are running an appropriate version of Windows Server. When an administrator attempts to raise the functional level, AD DS checks whether all domain controllers are running an appropriate Windows Server operating system to ensure the proper environment for enabling new Active Directory features.

Domain functional level.
Six domain functional levels are available:
– Windows 2000 native
– Windows Server 2003
– Windows Server 2008
– Windows Server 2008 R2
– Windows Server 2012
– Windows Server 2012 R2

Forest functional level.
Six forest functional levels are available:
– Windows 2000
– Windows Server 2003
– Windows Server 2008
– Windows Server 2008 R2
– Windows Server 2012
– Windows Server 2012 R2

52. What Is FRS?
File Replication service (FRS) is a technology that replicates files and folders stored in the SYSVOL shared folder on domain controllers and Distributed File System (DFS) shared folders. When FRS detects that a change has been made to a file or folder within a replicated shared folder, FRS replicates the updated file or folder to other servers. Because FRS is a multimaster replication service, any server that participates in replication can generate changes. In addition, FRS can resolve file and folder conflicts to make data consistent among servers.

53. What is DFS-R?
The Distributed File System Replication (DFSR) service is a state-based, multimaster replication engine that supports replication scheduling and bandwidth throttling. DFSR uses a compression algorithm known as remote differential compression (RDC). RDC is a “diff-over-the wire” client/server protocol that can be used to efficiently update files over a limited-bandwidth network. RDC detects insertions, removals, and rearrangements of data in files, enabling DFSR to replicate only the changed file blocks when files are updated.

54. What is DSRM in AD?
Directory Services Restore Mode (DSRM) is a safe mode boot option for Windows Server domain controllers. DSRM allows an administrator to repair or recover to repair or restore an Active Directory database.When Active Directory is installed, the install wizard prompts the administrator to choose a DSRM password. This password provides the administrator with a back door to the database in case something goes wrong later on, but it does not provide access to the domain or to any services. In the event a DSRM password is forgotten, it can be changed by using the command-line tool NTDSUtil.

55. Why DNS is important for active directory?
Active Directory is dependent on DNS as a domain controller location mechanism and uses DNS domain naming conventions in the architecture of Active Directory domains. There are three components in the dependency of Active Directory on DNS:
1. Domain controller locator (Locator)
2. Active Directory domain names in DNS
3. Active Directory DNS objects

56. What is group policy in active directory?
Group Policy is an infrastructure that allows you to implement specific configurations for users and computers. Group Policy settings are contained in Group Policy objects (GPOs), which are linked to the following Active Directory directory service containers: sites, domains, or organizational units (OUs).

57. What is tree in active directory?
A tree is a group of domains that have the same DNS name; for example, abc.com (the top domain), sales.abc.com and support.abc.com (the child domains).

58. What is forest in active directory?
A forest is a collection of multiple trees that share a common global catalog, directory schema, logical structure, and directory configuration. Forest has automatic two way transitive trust relationships. The very first domain created in the forest is called the forest root domain. Forests allow organizations to group their divisions that use different naming schemes and may need to operate independently. But as an organization, they want to communicate with the entire organization via transitive trusts and share the same schema and configuration container.

58. Different modes of AD restore?
A nonauthoritative restore is the default method for restoring Active Directory. To perform a nonauthoritative restore, you must be able to start the domain controller in Directory Services Restore Mode. After you restore the domain controller from backup, replication partners use the standard replication protocols to update Active Directory and associated information on the restored domain controller.

An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. If you do not want to replicate the changes that have been made subsequent to the last backup operation, you must perform an authoritative restore. In this one needs to stop the inbound replication first before performing the an authoritative restore.

60. What’s the difference between transferring a FSMO role and seizing?
Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the FSMO is no longer available.

If you perform a seizure of the FSMO roles from a DC, you need to ensure two things:
the current holder is actually dead and offline, and that the old DC will NEVER return to the network. If you do an FSMO role Seize and then bring the previous holder back online, you’ll have a problem.

An FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to another live DC During the process, the current DC holding the role(s) is updated, so it becomes aware it is no longer the role holder.

Leave a Reply

Your email address will not be published. Required fields are marked *