all interview question

7/25/2019 All Interview Question

1/33

Windows Server 2003 interview and certifi cation questions

1. How do you double-boot a Win 2003 server box?The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing. To change the Boot.ini timeout anddefault settings, use the System option in Control Panel from the Advanced tab and selectStartup.

2. What do you do if earlier application doesnt run on Windows Server 2003?When an application that ran on an earlier legacy version of Windows cannot be loadedduring the setup function or if it later malfunctions, you must run the compatibility modefunction. This is accomplished by right-clicking the application or setup program andselecting Properties > Compatibility > selecting the previously supported operatingsystem.

3. If you uninstall Windows Server 2003, which operating systems can you revertto?Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from ME and 98to Windows Server 2003.

4. How do you get to Internet Firewall settings?Start > Control Panel > Networkand Internet Connections > Network Connections.

5. What are the Windows Server 2003 keyboard shortcuts?Winkey opens or closesthe Start menu. Winkey + BREAK displays the System Properties dialog box. Winkey +TAB moves the focus to the next application in the taskbar. Winkey + SHIFT + TAB movesthe focus to the previous application in the taskbar. Winkey + B moves the focus to thenotification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorershowing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opensthe Search panel with Search for Computers module selected. Winkey + F1 opens Help.Winkey + M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opensRun dialog. Winkey + U opens the Utility Manager. Winkey + L locks the computer.

6. What is Acti ve Directory?Active Directory is a network-based object store andservice that locates and manages resources, and makes these resources available toauthorized users and groups. An underlying principle of the Active Directory is that

everything is considered an objectpeople, servers, workstations, printers, documents,and devices. Each object has certain attributes and its own security access control list(ACL).

7. Where are the Windows NT Primary Domain Controller (PDC) and its BackupDomain Controller (BDC) in Server 2003?The Active Directory replaces them. Now alldomain controllers share a multimaster peer-to-peer read and write relationship that hostscopies of the Active Directory.

8. How long does it take for securit y changes to be repli cated among the domaincontrollers?Security-related modifications are replicated within a site immediately. Thesechanges include account and individual user lockout policies, changes to passwordpolicies, changes to computer account passwords, and modifications to the Local SecurityAuthority (LSA).

9. Whats new in Windows Server 2003 regarding the DNS management?When DCpromotion occurs with an existing forest, the Active Directory Installation Wizard contactsan existing DC to update the directory and replicate from the DC the required portions ofthe directory. If the wizard fails to locate a DC, it performs debugging and reports whatcaused the failure and how to fix the problem. In order to be located on a network, everyDC must register in DNS DC locator DNS records. The Active Directory InstallationWizard verifies a proper configuration of the DNS infrastructure. All DNS configurationdebugging and reporting activity is done with the Active Directory Installation Wizard.

10. When should you create a forest?Organizations that operate on radically


2/33

different bases may require separate trees with distinct namespaces. Unique trade

or brand names often give

rise to separate DNS identities. Organizations merge or are acquired and naming continuityis desired. Organizations form partnerships and joint ventures. While access to commonresources is desired, a separately defined tree can enforce more direct administrative andsecurity restrictions.

11. How can you authenticate between forests? Four types of authentication are usedacross forests: (1) Kerberos and NTLM network logon for remote access to a server inanother forest; (2) Kerberos and NTLM interactive logon for physical logon outside theusers home forest; (3) Kerberos delegation to N-tier application in another forest; and (4)user principal name (UPN) credentials.

12. What snap-in admin istrative tools are available for Active Directory? ActiveDirectory Domains and Trusts Manager, Active Directory Sites and Services Manager,Active Directory Users and Group Manager, Active Directory Replication (optional,available from the Resource Kit), Active Directory Schema Manager (optional, availablefrom adminpak)

13. What types of classes exist in Windo ws Server 2003 Active Directory?Structural class. The structural class is important to the system administrator in that it is

the only type from which new Active Directory objects are created. Structural classes aredeveloped from either the modification of an existing structural type or the use of one ormore abstract classes.

Abstract class . Abstract classes are so named because they take the form of templatesthat

actually create other templates (abstracts) and structural and auxiliary classes. Think ofabstract classes as frameworks for the defining objects.

Auxi li ary c lass. The auxiliary class is a list of attributes. Rather than apply numerous

attributes when creating a structural class, it provides a streamlined alternative byapplying a combination of attributes with a single include action.

88 class. The 88 class includes object classes defined prior to 1993, when the 1988

X.500specification was adopted. This type does not use the structural, abstract, and auxiliarydefinitions, nor is it in common use for the development of objects in Windows Server2003 environments.

14. How do you delete a lingering object?Windows Server 2003 provides a commandcalled Repadmin that provides the ability to delete lingering objects in the Active Directory.

15. What is Global Catalog?The Global Catalog authenticates network user logons andfields inquiries about objects across a forest or tree. Every domain has at least one GCthat is hosted on a domain controller. In Windows 2000, there was typically one GC onevery site in order to prevent user logon failures across the network.

16. How is user account securi ty established in Windows Server 2003?When anaccount is created, it is given a unique access number known as a security identifier (SID).Every group to which the user belongs has an associated SID. The user and related groupSIDs together form the user accounts security token, which determines access levels toobjects throughout the system and network. SIDs from the security token are mapped tothe access control list (ACL) of any object the user attempts to access.

17. If I delete a user and then create a new account with the same username andpassword, would the SID and permissions stay the same?No. If you delete a useraccount and attempt to recreate it with the same user name and password, the SID will be


3/33

different.

18. What do you do with secure sign-ons in an organization with many roamingusers?Credential Management feature of Windows Server 2003 provides a consistentsingle sign-on experience for users. This can be useful for roaming users who movebetween computer systems. The Credential Management feature provides a secure store

of user credentials that includes passwords and X.509 certificates.

19. Anything special you should do wh en adding a user that has a Mac?"Savepassword as encrypted clear text" must be selected on User Properties Account TabOptions, since the Macs only store their passwords that way.

20. What remote access opt ions does Windows Server 2003 suppor t?Dial-in, VPN,dial- in with callback.

21. Where are the documents and settings for the roaming profile stored?All thedocuments and environmental settings for the roaming user are stored locally on thesystem, and, when the user logs off, all changes to the locally stored profile are copied tothe shared server folder. Therefore, the first time a roaming user logs on to a new systemthe logon process may take some time, depending on how large his profile folder is.

22. Where are the settings for all t he users stored on a given machine? \Documentand Settings\All Users

23. What languages can you use for log-on scrip ts?JavaScipt, VBScript, DOS batchfiles (.com, .bat, or even .exe)


4/33

Windows Server 2003 Interview Questions & Answers

1. How do you double-boot a Win 2003 server box?

The Boot.ini file is set as read-only, system, and hidden to prevent unwanted

editing. To change the Boot.ini timeout and default settings, use the System

option in Control Panel from the Advanced tab and select Startup.

2. What do you do if earlier application doesnt run on Windows Server

2003?

When an application that ran on an earlier legacy version of Windows cannot

be loaded during the setup function or if it later malfunctions, you must run

the compatibility mode function. This is accomplished by right-clicking the

application or setup program and selecting Properties > Compatibility >

selecting the previously supported operating system.

3. If you uninstall Windows Server 2003, which operating systems can

you revert to?

Win ME, Win 98, 2000, XP. Note, however, that you cannot upgrade from

ME and 98 to Windows Server 2003.

4. How do you get to Internet Firewall settings?

Start > Control Panel > Network and Internet Connections > Network

Connections.

5. What are the Windows Server 2003 keyboard shortcuts?

Winkey opens or closes the Start menu. Winkey + BREAK displays the

System Properties dialog box. Winkey + TAB moves the focus to the next

application in the taskbar. Winkey + SHIFT + TAB moves the focus to the

previous application in the taskbar. Winkey + B moves the focus to the

notification area. Winkey + D shows the desktop. Winkey + E opens

Windows Explorer showing My Computer. Winkey + F opens the Search

panel. Winkey + CTRL + F opens the Search panel with Search for

Computers module selected. Winkey + F1 opens Help. Winkey + M

minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens

Run dialog. Winkey + U opens the Utility Manager. Winkey + L locks the

computer.

6. What is Active Directory?

Active Directory is a network-based object store and service that locates and

manages resources, and makes these resources available to authorized users

and groups. An underlying principle of the Active Directory is that everything

is considered an objectpeople, servers, workstations, printers, documents,

and devices. Each object has certain attributes and its own security access

control list (ACL).


5/33

Windows Server 2003 Active Directory and Security questions

1. Whats the difference between local, global and universal groups? Domain localgroups assign access permissions to global domain groups for local domain resources.Global groups provide access to resources in other trusted domains. Universal groups grantaccess to resources in all trusted domains.

2. I am trying to create a new universal user group. Why cant I?Universal groups areallowed only in native-mode Windows Server 2003 environments. Native mode requires thatall domain controllers be promoted to Windows Server 2003 Active Directory.

3. What is LSDOU?Its group policy inheritance model, where the policies are applied toLocal machines, Sites, Domains and Organizational Units.

4. Why doesnt LSDOU work under Windows NT? If the NTConfig.polfile exist, it has thehighest priority among the numerous policies.

5. Where are group poli cies stored?%SystemRoot%System32\GroupPolicy

6. What is GPT and GPC?Group policy template and group policy container.

7. Where is GPT stored?%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID

8. You change the group polic ies, and now the computer and user settings are inconfli ct. Which one has the highest prio rity?The computer settings take priority.

9. You want to set up remote installation procedure, but do not want the user togain access over it. What do you do?gponame> User Configuration> Windows

Settings> Remote Installation Services> Choice Options is your friend.

10. Whats contained in administrative template conf.adm?Microsoft NetMeetingpolicies

11. How can you restrict running certain applications on a machine?Via group policy,security settings for the group, then Software Restriction Policies.

12. You need to automatically install an app, but MSI file is not available. What doyou do?A .zaptext file can be used to add applications using the Software Installer, ratherthan the Windows Installer.

13. Whats the difference between Software Installer and Windows Installer?Theformer has fewer privileges and will probably require user intervention. Plus, it uses .zap files.

14. What can be restricted on Windows Server 2003 that wasnt there in previousproducts?Group Policy in Windows Server 2003 determines a users right to modify networkand dial-up TCP/IP properties. Users may be selectively restricted from modifying their IPaddress and other network configuration parameters.

15. How frequently is the client policy refreshed?90 minutes give or take. 16.Where is secedit?Its now gpupdate.


6/33

17. You want to create a new group policy but do not wish to inherit. Make sure youcheck Block inheritanceamong the options when creating the policy.

18. What is " tattooing" the Registry? The user can view and modify user preferencesthat are not stored in maintained portions of the Registry. If the group policy is removed or

changed, the user preference will persist in the Registry.

19. How do you fight tattooing in NT/2000 installations?You cant.

20. How do you fight tattooing in 2003 installations? User Configuration -Administrative

Templates - System - Group Policy - enable - Enforce Show Policies Only.

21. What does IntelliMirror do?It helps to reconcile desktop settings, applications, andstored

files for users, particularly those who move between workstations or those who must

periodically work offline.

22. Whats the major dif ference between FAT and NTFS on a local machine? FAT andFAT32 provide no security over locally logged-on users. Only native NTFS providesextensive permission control on both remote and local files.

23. How do FAT and NTFS differ in approach to user shares?They dont, both havesupport for sharing.

24. Explan the List Folder Contentspermission on the folder in NTFS. Same as Read &Execute, but not inherited by files within a folder. However, newly created subfolders willinherit this permission.

25. I have a file to which the user has access, but he has no folder permission to read

it. Can he access it? It is possible for a user to navigate to a file for which he does not havefolder permission. This involves simply knowing the path of the file object. Even if the usercant drill down the file/folder tree using My Computer, he can still gain access to the file usingthe Universal Naming Convention (UNC). The best way to start would be to type the full pathof a file into Run window.

26. For a user in several groups, are Allow permissions restrictive or permiss ive?Permissive, if at least one group has Allow permission for the file/folder, user will have thesame permission.

27. For a user in several groups, are Deny permissions restrictive or permissive?Restrictive, if at least one group has Deny permission for the file/folder, user will be denied


7/33

access, regardless of other group permissions.

28. What hidden shares exist on Windows Server 2003 installation?Admin$, Drive$,IPC$, NETLOGON, print$ and SYSVOL.

29. Whats the difference between standalone and fault-tolerant DFS (Distribu ted FileSystem) installations?The standalone server stores the Dfs directory tree structure ortopology locally. Thus, if a shared folder is inaccessible or if the Dfs root server is down, usersare left with no link to the shared resources. A fault-tolerant root node stores the Dfs topologyin the Active Directory, which is replicated to other domain controllers. Thus, redundant rootnodes may include multiple connections to the same data residing in different shared folders.

30. Were using the DFS fault-tolerant installation, but cannot access it from a Win98box. Use the UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.

31. Where exactly do fault-tolerant DFS shares store information in Active Directory?In Partition Knowledge Table, which is then replicated to other domain controllers.

32. Can you use Start->Search with DFS shares?Yes.

33. What problems can you have with DFS installed?Two users opening theredundantcopies of the file at the same time, with no file-locking involved in DFS, changing the contentsand then saving. Only one file will be propagated through DFS.

34. I run Microsoft Cluster Server and cannot ins tall fault-tolerant DFS. Yeah, youcant. Install a standalone one.

35. Is Kerberos encryption symmetric or asymmetric?Symmetric.

36. How does Windows 2003 Server try to prevent a middle-man attack on encryptedline?Time stamp is attached to the initial client request, encrypted with the shared key.

37. What hashing algorithms are used in Windows 2003 Server?RSA Data Securitys

Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.

38. What third-party certificate exchange protocols are used by Windows 2003Server?Windows Server 2003 uses the industry standard PKCS-10 certificate request andPKCS-7 certificate response to exchange CA certificates with third-party certificate authorities.

39. Whats the number of permitted unsuccessful logons on Administ rator account?

Unlimited. Remember, though, that its the Administrator account, not any account thats partof the Administrators group.

40. If hashing is one-way function and Windows Server uses hashing for storingpasswords, how is it possible to attack the password lists , specifically the onesusing NTLMv1?A cracker would launch a dictionary attack by hashing every imaginableterm used for password and then compare the hashes.


8/33

41. Whats the difference between guest accounts in Server 2003 and o ther editions?More restrictive in Windows Server 2003.

42. How many passwords by default are remembered when you check " EnforcePassword History Remembered"? Users last 6 passwords.


9/33

Windows Server 2003 Active Directory and Security questions

1. Whats the difference between local, global and universal groups?

Domain local groups assign access permissions to global domain groups for local domain resources. Globalgroups provide access to resources in other trusted domains. Universal groups grant access to resources in

all trusted domains.

2. I am trying to create a new universal user group.Why cant I?

Universal groups are allowed only in native-mode Windows Server 2003 environments. Native mode

requires that all domain controllers be promoted to Windows Server 2003 Active Directory.

3. What is LSDOU?

Its group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and

Organizational Units.

4. Why doesnt LSDOU work under Windows NT?

If the NTConfig.pol file exist, it has the highest priority among the numerous policies.

5. Where are group policies stored?

%SystemRoot%System32\GroupPolicy

6. What is GPT and GPC?

Group policy template and group policy container.

7. Where is GPT stored?

%SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID

8. You change the group policies, and now the computer and user settings are in conflict. Which one has

the highest priority?

The computer settings take priority.


10/33

9. You want to set up remote installation procedure, but do not want the user to gain access over it. What

do you do?

gponame> User Configuration> Windows Settings> Remote Installation Services> Choice Options isyour friend.

10. Whats contained in administrative template conf.adm?

Microsoft NetMeeting policies

11. How can you restrict running certain applications on a machine?

Via group policy, security settings for the group, then Software Restriction Policies.

12. You need to automatically install an app, but MSI file is not available. What do you do?

A .zap text file can be used to add applications using the Software Installer, rather than the Windows

Installer.

13. Whats the difference between Software Installer and Windows Installer?

The former has fewer privileges and will probably require user intervention. Plus, it uses .zap files.

14. What can be restricted on Windows Server 2003 that wasnt there in previous products?

Group Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP

properties. Users may be selectively restricted from modifying their IP address and other network

configuration parameters.

15. How frequently is the client policy refreshed?

90 minutes give or take.

16. Where is secedit?

Its now gpupdate.


11/33

17. You want to create a new group policy but do not wish to inherit. Make sure you check Block

inheritance among the options when creating the policy.

18. What is "tattooing" the Registry?

The user can view and modify user preferences that are not stored in maintained portions of the Registry. If

the group policy is removed or changed, the user preference will persist in the Registry.

19. How do you fight tattooing in NT/2000 installations?

You cant.

20. How do you fight tattooing in 2003 installations?

User Configuration - Administrative Templates - System - Group Policy - enable - Enforce Show Policies

Only.

21. What does IntelliMirror do?

It helps to reconcile desktop settings, applications, and stored files for users, particularly those who move

between workstations or those who must periodically work offline.

22. Whats the major difference between FAT and NTFS on a local machine?

FAT and FAT32 provide no security over locally logged-on users. Only native NTFS provides extensive

permission control on both remote and local files.

23. How do FAT and NTFS differ in approach to user shares?

They dont, both have support for sharing.

24. Explan the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but not

inherited by files within a folder. However, newly created subfolders will inherit this permission.

25. I have a file to which the user has access, but he has no folder permission to read it.Can he access it?

It is possible for a user to navigate to a file for which he does not have folder permission. This involves

simply knowing the path of the file object.


12/33

Even if the user cant drill down the file/folder tree using My Computer, he can still gain access to the file

using the Universal Naming Convention (UNC). The best way to start would be to type the full path of a file

into Run window.

26. For a user in several groups, are Allow permissions restrictive or permissive?

Permissive, if at least one group has Allow permission for the file/folder, user will have the same permission.

27. For a user in several groups, are Deny permissions restrictive or permissive?

Restrictive, if at least one group has Deny permission for the file/folder, user will be denied access,

regardless of other group permissions.

28. What hidden shares exist on Windows Server 2003 installation?

Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.

29. Whats the difference between standalone and fault-tolerant DFS (Distributed File System)

installations?

The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder is

inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-

tolerant root node stores the Dfs topology in the Active Directory, which is replicated to other domain

controllers. Thus, redundant root nodes may include multiple connections to the same data residing in

different shared folders.

30. Were using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the UNC

path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.

31. Where exactly do fault-tolerant DFS shares store information in Active Directory?

In Partition Knowledge Table, which is then replicated to other domain controllers.

32. Can you use Start->Search with DFS shares?

Yes.


13/33

33. What problems can you have with DFS installed?

Two users opening the redundant copies of the file at the same time, with no file-locking involved in DFS,

changing the contents and then saving. Only one file will be propagated through DFS.

34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you cant. Install a

standalone one.

35. Is Kerberos encryption symmetric or asymmetric?

Symmetric.

36. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?

Time stamp is attached to the initial client request, encrypted with the shared key.

37. What hashing algorithms are used in Windows 2003 Server?

RSA Data Securitys Message Digest 5 (MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1

(SHA-1), produces a 160-bit hash.

38. What third-party certificate exchange protocols are used by Windows 2003 Server?

Windows Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate

response to exchange CA certificates with third-party certificate authorities.

39. Whats the number of permitted unsuccessful logons on Administrator account?

Unlimited. Remember, though, that its the Administrator account, not any account thats part of the

Administrators group.

40. If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it

possible to attack the password lists, specifically the ones using NTLMv1?

A cracker would launch a dictionary attack by hashing every imaginable term used for password and thencompare the hashes.

41. Whats the difference between guest accounts in Server 2003 and other editions?

More restrictive in Windows Server 2003.

42. How many passwords by default are remembered when you check "Enforce Password History

Remembered"?


14/33

Windows Server 2003 interview and certification questions

1. How do you double-boot a Win 2003 server box?

The Boot.ini file is set as read-only, system, and hidden to prevent unwanted editing.

To change the Boot.ini timeout and default settings, use the System option in Control Panel from the

Advanced tab and select Startup.

2. What do you do if earlier application doesnt run on Windows Server 2003?

When an application that ran on an earlier legacy version of Windows cannot be loaded during the setup

function or if it later malfunctions, you must run the compatibility mode function.

This is accomplished by right-clicking the application or setup program and selecting :

Properties > Compatibility > selecting the previously supported operating system.

3. If you uninstall Windows Server 2003, which operating systems can you revert to? Win ME, Win 98,

2000, XP. Note, however, that you cannot upgrade from ME and 98 to Windows Server 2003.

4. How do you get to Internet Firewall settings?

Start > Control Panel > Network and Internet Connections > Network Connections.

5. What are the Windows Server 2003 keyboard shortcuts?

Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog box.

Winkey + TAB moves the focus to the next application in the taskbar.

Winkey + SHIFT + TAB moves the focus to the previous application in the taskbar.

Winkey + B moves the focus to the notification area. Winkey + D shows the desktop.

Winkey + E opens Windows Explorer showing My Computer.

Winkey + F opens the Search panel.


15/33

Winkey + CTRL + F opens the Search panel with Search for Computers module selected.

Winkey + F1 opens Help.

Winkey + M minimizes all.

Winkey + SHIFT+ M undoes minimization.

Winkey + R opens Run dialog. Winkey + U opens the Utility Manager.Winkey + L locks the computer.

6. What is Active Directory?

Active Directory is a network-based object store and service that locates and manages resources, andmakes these resources available to authorized users and groups.

An underlying principle of the Active Directory is that everything is considered an objectpeople, servers,

workstations, printers, documents, and devices. Each object has certain attributes and its own security

access control list (ACL).

7. Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC)

in Server 2003?

The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and

write relationship that hosts copies of the Active Directory.

8. How long does it take for security changes to be replicated among the domain controllers?

Security-related modifications are replicated within a site immediately.

These changes include account and individual user lockout policies, changes to password policies, changes

to computer account passwords, and modifications to the Local Security Authority (LSA).

9. Whats new in Windows Server 2003 regarding the DNS management?

When DC promotion occurs with an existing forest, the Active Directory Installation Wizard contacts an

existing DC to update the directory and replicate from the DC the required portions of the directory.


16/33

If the wizard fails to locate a DC, it performs debugging and reports what caused the failure and how to fix

the problem. In order to be located on a network, every DC must register in DNS DC locator DNS records.

The Active Directory Installation Wizard verifies a proper configuration of the DNS infrastructure. All DNS

configuration debugging and reporting activity is done with the Active Directory Installation Wizard.

10. When should you create a forest?

Organizations that operate on radically different bases may require separate trees with distinct namespaces.

Unique trade or brand names often give rise to separate DNS identities.

Organizations merge or are acquired and naming continuity is desired. Organizations form partnerships and

joint ventures. While access to common resources is desired, a separately defined tree can enforce more

direct administrative and security restrictions.

11. How can you authenticate between forests?

Four types of authentication are used across forests:

(1) Kerberos and NTLM network logon for remote access to a server in another forest;

(2) Kerberos and NTLM interactive logon for physical logon outside the users home forest;

(3) Kerberos delegation to N-tier application in another forest; and

(4) user principal name (UPN) credentials.

12. What snap-in administrative tools are available for Active Directory?

Active Directory Domains and Trusts Manager, Active Directory Sites and Services Manager, Active Directory

Users and Group Manager, Active Directory Replication (optional, available from the Resource Kit), Active

Directory Schema Manager (optional, available from adminpak)

13. What types of classes exist in Windows Server 2003 Active Directory?

* Structural class

The structural class is important to the system administrator in that it is the only type from which new


17/33

Active Directory objects are created. Structural classes are developed from either the modification of an

existing structural type or the use of one or more abstract classes.

* Abstract class

Abstract classes are so named because they take the form of templates that actually create other templates

(abstracts) and structural and auxiliary classes. Think of abstract classes as frameworks for the defining

objects.

* Auxiliary class

The auxiliary class is a list of attributes. Rather than apply numerous attributes when creating a structural

class, it provides a streamlined alternative by applying a combination of attributes with a single include

action.

* 88 class

The 88 class includes object classes defined prior to 1993, when the 1988 X.500 specification was adopted.

This type does not use the structural, abstract, and auxiliary definitions, nor is it in common use for the

development of objects in Windows Server 2003 environments.

14. How do you delete a lingering object?

Windows Server 2003 provides a command called Repadmin that provides the ability to delete lingering

objects in the Active Directory.

15. What is Global Catalog?

The Global Catalog authenticates network user logons and fields inquiries about objects across a forest or

tree. Every domain has at least one GC that is hosted on a domain controller.

In Windows 2000, there was typically one GC on every site in order to prevent user logon failures across the

network.

16. How is user account security established in Windows Server 2003?

When an account is created, it is given a unique access number known as a security identifier (SID). Every

group to which the user belongs has an associated SID.


18/33

The user and related group SIDs together form the user accounts security token, which determines access

levels to objects throughout the system and network. SIDs from the security token are mapped to the

access control list (ACL) of any object the user attempts to access.

17. If I delete a user and then create a new account with the same username and password, would the

SID and permissions stay the same? No. If you delete a user account and attempt to recreate it with the

same user name and password, the SID will be different.

18. What do you do with secure sign-ons in an organization with many roaming users?

Credential Management feature of Windows Server 2003 provides a consistent single sign-on experience for

users. This can be useful for roaming users who move between computer systems.

The Credential Management feature provides a secure store of user credentials that includes passwords and

X.509 certificates.

19. Anything special you should do when adding a user that has a Mac?

"Save password as encrypted clear text" must be selected on User Properties Account Tab Options, since

the Macs only store their passwords that way.

20. What remote access options does Windows Server 2003 support? Dial-in, VPN, dial-in with callback.

21. Where are the documents and settings for the roaming profile stored?

All the documents and environmental settings for the roaming user are stored locally on the system, and,

when the user logs off, all changes to the locally stored profile are copied to the shared server folder.

Therefore, the first time a roaming user logs on to a new system the logon process may take some time,

depending on how large his profile folder is.

22. Where are the settings for all the users stored on a given machine? \Document and Settings\All Users

23. What languages can you use for log-on scripts? JavaScipt, VBScript, DOS batch files (.com, .bat, or

even .exe)


19/33

Understanding the Windows Server 2003 Routing Table

The Windows Server 2003 routing table contains the following standard fields:

* Network Destination* Netmask* Gateway

* Interface* Metric* Protocol

With Windows Server 2003, you can view the routing table using:

* The route command from the command line. The route commands in Windows 2000, Windows XP andWindows Server 2003 are all the same

* The Routing and Remote Access management console. You an access the Routing and Remote Accessconsole by clicking Start, Administrative Tools, and then clicking Routing and Remote Access.

The main differences between the previous routing tables and the Windows Server 2003 routing tables arelisted below:

* With Windows Server 2003, the routing metric is automatically calculated by the TCP/IP protocol. Thespeed of the interface is used to determine the routing metric. The feature is automatically enabled bydefault.

* With the previous routing tables, the netmask for the Class D multicast is specified as 224.0.0.0. WithWindows Server 2003 routing tables, the netmask for the Class D multicast is specified as 240.0.0.0.

* The routing tables in Windows Server 2003 can be viewed and maintained through the Routing andRemote Access management console. In Windows 2000 and Windows XP, routing tables could only beviewed and modified from the command line, using the route command.

How to view the routing table in Window Server 2003:

1. Click Start, Administrative Tools, and click Routing And Remote Access to open the Routing AndRemote Access console.

2. In the console tree, expand the IP Routing node.

3. Right-click the Static Routes node, and then select the Show IP Routing Table command from theshortcut menu.

4. When the routing table is viewed from the Routing And Remote Access console, the Protocol field isdisplayed. The Protocol field indicates the manner in which the route was discovered.

How to add routing table entries using the Routing And Remote Access console:


2. In the console tree, expand the IP Routing node.3. To view the routing table for an interface, right-click the specific interface, and then select Show IP

routing Table from the shortcut menu.4. To add a static routing table entry, expand the IP Routing node, and then select Static Routes.5. Right-click Static Routes, and click Add Static Route on the shortcut menu.

6. The Static Route dialog box opens.7. From the Interface drop-down list box, select the interface.8. Enter a value for Destination.9. Enter a value for Network mask.

10. Enter a value for Gateway.11. Enter a value for Metric.12. Leave the demand-dial connections checkbox enabled if the route is to be used for demand-dialconnections.13. Click OK.


20/33

How to delete routing table entries using the Routing And Remote Access console


2. In the console tree, expand the IP Routing node.3. Select Static Routes to display the current static routes in the right pane.4. Locate and select the static route that you want to remove from the IP routing table.

5. Right-click the specific static route, and then select Delete from the shortcut menu.6. The static route is immediately removed from the routing table.

How to disable the automatic metric calculation feature:

1. Click Start, Control Panel, and then click Network Connections.2. Select Local Area Connection.3. The Local Area Connection Properties dialog box opens.4. In the This connection uses the following items box, select the Internet Protocol (TCP/IP). Click

Properties.5. When the Internet Protocol (TCP/IP) Properties dialog box opens, click Advanced.6. The Advanced TCP/IP Settings dialog box contains a number of tabs: IP Settings tab, DNS tab, WINS

tab and Options tab.7. The IP Settings tab is divided into the following areas:

* IP addresses* Default gateways* Automatic metric

8. In the Automatic metric area of the IP Settings tab, uncheck the Automatic metric checkbox to disablethe automatic metric calculation feature.

9. You can manually enter the Interface metric once the automatic metric calculation feature is disabled.10. Proceed to set the value for the Interface metric in the available field.11. Click OK to save your changes and close the Advanced TCP/IP Settings dialog box.12. Click OK to close the Internet Protocol (TCP/IP) Properties dialog box.13. Click OK to close the Local Area Connection Properties dialog box.


21/33

Technical Interview Questions Networking

What is an IP address? What is a subnet mask? What is ARP?

What is ARP Cache Poisoning? What is the ANDing process?

What is a default gateway? What happens if I don't have one? Can a workstation computer be configured to browse the Internet and yet NOT have a default

gateway? What is a subnet?

What is APIPA?

What is an RFC? Name a few if possible (not necessarily the numbers, just the ideas behind them) What is RFC 1918?

What is CIDR? You have the following Network ID: 192.115.103.64/27. What is the IP range for your network?

You have the following Network ID: 131.112.0.0. You need at least 500 hosts per network. How

many networks can you create? What subnet mask will you use? You need to view at network traffic. What will you use? Name a few tools

How do I know the path that a packet takes to the destination? What does the ping 192.168.0.1 -l 1000 -n 100 command do? What is DHCP? What are the benefits and drawbacks of using it? Describe the steps taken by the client and DHCP server in order to obtain an IP address. What is the DHCPNACK and when do I get one? Name 2 scenarios.

What ports are used by DHCP and the DHCP clients? Describe the process of installing a DHCP server in an AD infrastructure. What is DHCPINFORM? Describe the integration between DHCP and DNS. What options in DHCP do you regularly use for an MS network?

What are User Classes and Vendor Classes in DHCP? How do I configure a client machine to use a specific User Class? What is the BOOTP protocol used for, where might you find it in Windows network infrastructure? DNS zones describe the differences between the 4 types. DNS record types describe the most important ones.

Describe the process of working with an external domain name

Describe the importance of DNS to AD. Describe a few methods of finding an MX record for a remote domain on the Internet.

What does "Disable Recursion" in DNS mean? What could cause the Forwarders and Root Hints to be grayed out?

What is a "Single Label domain name" and what sort of issues can it cause? What is the "in-addr.arpa" zone used for?

What are the requirements from DNS to support AD?

How do you manually create SRV records in DNS? Name 3 benefits of using AD-integrated zones.

What are the benefits of using Windows 2003 DNS when using AD-integrated zones? You installed a new AD domain and the new (and first) DC has not registered its SRV records in DNS.

Name a few possible causes.

What are the benefits and scenarios of using Stub zones? What are the benefits and scenarios of using Conditional Forwarding? What are the differences between Windows Clustering, Network Load Balancing and Round Robin, and

scenarios for each use?

How do I work with the Host name cache on a client computer? How do I clear the DNS cache on the DNS server? What is the 224.0.1.24 address used for? What is WINS and when do we use it? Can you have a Microsoft-based network without any WINS server on it? What are the

"considerations" regarding not using WINS? Describe the differences between WINS push and pull replications. What is the difference between tombstoning a WINS record and simply deleting it? Name the NetBIOS names you might expect from a Windows 2003 DC that is registered in WINS.

PETRI


22/33

Describe the role of the routing table on a host and on a router. What are routing protocols? Why do we need them? Name a few.

What are router interfaces? What types can they be? In Windows 2003 routing, what are the interface filters? What is NAT?

What is the real difference between NAT and PAT? How do you configure NAT on Windows 2003?

How do you allow inbound traffic for specific hosts on Windows 2003 NAT?

What is VPN? What types of VPN does Windows 2000 and beyond work with natively? What is IAS? In what scenarios do we use it? What's the difference between Mixed mode and Native mode in AD when dealing with RRAS?

What is the "RAS and IAS" group in AD? What are Conditions and Profile in RRAS Policies? What types or authentication can a Windows 2003 based RRAS work with?

How does SSL work? How does IPSec work? How do I deploy IPSec for a large number of computers? What types of authentication can IPSec use? What is PFS (Perfect Forward Secrecy) in IPSec?

How do I monitor IPSec? Looking at IPSec-encrypted traffic with a sniffer. What packet types do I see? What can you do with NETSH?

How do I look at the open ports on my machine?

PETRI


23/33

Technical Interview Questions Exchange 2003

Tell me a bit about the capabilities of Exchange Server. What are the different Exchange 2003 versions? What's the main differences between Exchange 5.5 and Exchange 2000/2003?

What are the major network infrastructure for installing Exchange 2003? What is the latest Exchange 2003 Service Pack? Name a few changes in functionality in that SP.

What are the disk considerations when installing Exchange (RAID types, locations and so on). You got a new HP DL380 (2U) server, dual Xeon, 4GB of RAM, 7 SAS disks, 64-bit. What do you do

next to install Exchange 2003? (you have AD in place) Why not install Exchange on the same machine as a DC?

Are there any other installation considerations?

How would you prepare the AD Schema in advance before installing Exchange? What type or permissions do you need in order to install the first Exchange server in a forest? In a

domain? How would you verify that the schema was in fact updated?

What type of memory optimization changes could you do for Exchange 2003? How would you check your Exchange configuration settings to see if they're right? What are the Exchange management tools? How and where can you install them?

What types of permissions are configurable for Exchange? How can you grant access for an administrator to access all mailboxes on a specific server? What is the Send As permission? What other management tools are used to manage and control Exchange 2003? Name the tools you'd

use.

What are Exchange Recipient types? Name 5. You created a mailbox for a user, yet the mailbox does not appear in ESM. Why? You wanted to change mailbox access permissions for a mailbox, yet you see the SELF permission

alone on the permissions list. Why? What are Query Based Distribution groups?

What type of groups would you use when configuring distribution groups in a multiple domain forest? Name a few configuration options for Exchange recipients. What's the difference between Exchange 2003 Std. and Ent. editions when related to storage options

and size? Name a few configuration options related to mailbox stores.

What are System Public Folders? Where would you find them?

How would you plan and configure Public Folder redundancy? How can you immediately stop PF replication?

How can you prevent PF referral across slow WAN links? What types of PF management tools might you use?

What are the differences between administrative permissions and client permissions in PF? How can you configure PF replication from the command prompt in Exchange 2003?

What are the message hygiene options you can use natively in Exchange 2003?

What are the configuration options in IMF? What are virtual servers? When would you use more than one?

Name some of the SMTP Virtual Server configuration options. What is a Mail Relay? Name a few known mail relay software or hardware options.

What is a Smart Host? Where would you configure it?

What are Routing Groups? When would you use them? What are the types of Connectors you can use in Exchange? What is the cost option in Exchange connectors? What is the Link State Table? How would you view it?

How would you configure mail transfer security between 2 routing groups? What is the Routing Group Master? Who holds that role? Explain the configuration steps required to allow Exchange 2003 to send and receive email from the

Internet (consider a one-site multiple server scenario). What is DS2MB?

What is Forms Based Authentication? How would you configure OWA's settings on an Exchange server? What is DSACCESS? What are Recipient Policies?

Page 1 of 2Daniel Petris MCSE and System Administrator Job Interview Questions Part 3 Exch...

5/27/2010http://www.petri.co.il/mcse-system-administrator-exchange-interview-questions.htm


24/33

How would you work with multiple recipient policies? What is the "issue" with trying to remove email addresses added by recipient policies? How would you

fix that? What is the RUS? When would you need to manually create additional RUS?

What are Address Lists? How would you modify the filter properties of one of the default address lists?

How can you create multiple GALs and allow the users to only see the one related to them?

What is a Front End server? In what scenarios would you use one? What type of authentication is used on the front end servers? When would you use NLB?

How would you achieve incoming mail redundancy? What are the 4 types of Exchange backups? What is the Dial-Tone server scenario?

When would you use offline backup? How do you re-install Exchange on a server that has crashed but with AD intact? What is the dumpster? What are the e00xxxxx.log files? What is the e00.chk file?

What is circular logging? When would you use it? What's the difference between online and offline defrag? How would you know if it is time to perform an offline defrag of your Exchange stores?

How would you plan for, and perform the offline defrag? What is the eseutil command?

What is the isinteg command? How would you monitor Exchange's services and performance? Name 2 or 3 options. Name all the client connection options in Exchange 2003. What is Direct Push? What are the requirements to run it? How would you remote wipe a PPC?

What are the issues with connecting Outlook from a remote computer to your mailbox? How would you solve those issues? Name 2 or 3 methods What is RPC over HTTP? What are the requirements to run it?

What is Cached Mode in OL2003/2007? What are the benefits and "issues" when using cached mode? How would you tackle those issues?

What is S/MIME? What are the usage scenarios for S/MIME? What are the IPSec usage scenarios for Exchange 2003?

How do you enable SSL on OWA?

What are the considerations for obtaining a digital certificate for SSL on Exchange? Name a few 3rd-party CAs.

What do you need to consider when using a client-type AV software on an Exchange server? What are the different clustering options in Exchange 2003? Which one would you choose and why

Page 2 of 2Daniel Petris MCSE and System Administrator Job Interview Questions Part 3 Exch...

5/27/2010http://www.petri.co.il/mcse-system-administrator-exchange-interview-questions.htm


25/33

Technical Interview Questions Active Directory

What is Active Directory? What is LDAP? Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.

Where is the AD database held? What other folders are related to AD? What is the SYSVOL folder?

Name the AD NCs and replication issues for each NC What are application partitions? When do I use them How do you create a new application partition How do you view replication properties for AD partitions and DCs?

What is the Global Catalog?

How do you view all the GCs in the forest? Why not make all DCs in a large forest as GCs?

Trying to look at the Schema, how can I do that? What are the Support Tools? Why do I need them?

What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN? What are sites? What are they used for? What's the difference between a site link's schedule and interval?

What is the KCC? What is the ISTG? Who has that role by default? What are the requirements for installing AD on a new server? What can you do to promote a server to DC if you're in a remote location with slow WAN link? How can you forcibly remove AD from a server, and what do you do later? Can I get user passwords

from the AD database? What tool would I use to try to grab security related packets from the wire? Name some OU design considerations. What is tombstone lifetime attribute? What do you do to install a new Windows 2003 DC in a Windows 2000 AD?

What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD? How would you find all users that have not logged on since last month? What are the DS* commands? What's the difference between LDIFDE and CSVDE? Usage considerations? What are the FSMO roles? Who has them by default? What happens when each one fails?

What FSMO placement considerations do you know of?

I want to look at the RID allocation table for a DC. What do I do? What's the difference between transferring a FSMO role and seizing one? Which one should you NOT

seize? Why? How do you configure a "stand-by operation master" for any of the roles?

How do you backup AD? How do you restore AD?

How do you change the DS Restore admin password?

Why can't you restore a DC that was backed up 4 months ago? What are GPOs?

What is the order in which GPOs are applied? Name a few benefits of using GPMC.

What are the GPC and the GPT? Where can I find them?

What are GPO links? What special things can I do to them? What can I do to prevent inheritance from above? How can I override blocking of inheritance? How can you determine what GPO was and was not applied for a user? Name a few ways to do that.

A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, andeveryone else there gets the GPO. What will you look for?

Name a few differences in Vista GPOs Name some GPO settings in the computer and user parts. What are administrative templates?

What's the difference between software publishing and assigning? Can I deploy non-MSI software with GPO? You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers

etc.) on the computers in one department. How would you do that?

PETRI


26/33

PC Hardware

What is FSB? What are Vcore and Vi/o? On what type of socket can you install a Pentium 4 CPU?

What is SMP? Which Intel and AMD processors support SMP?

How do LGA sockets differ from PGA and SEC? What is the difference between Pentium 4 and Pentium Core 2 Duo? Explain the new technology. How does IRQ priority works? What technology enables you to upgrade your computer's BIOS by simply using a software?

What happens if you dissemble the battery located on the Mother-Board?

How do L1, L2, and L3 work? How should we install RAM on a Dual-Channel Motherboard?

What is the advantage of serial over parallel bus? Is USB using serial or parallel bus? What about Firewire?

How much power is supplied to each USB port? When should you change your bus-powered USB hub to a self-powered USB hub? What is a UPS?

What is the difference between standby and online UPS? What is LBA (in Hard-Disks)? How many Hard Disks can you install on an E-IDE controller? Can you configure two hard disks to use the Master setting on the same PC? What is the difference between Narrow-SCSI and Wide-SCSI?

What is SAS? What are the three main reasons for using RAID? Is RAID 0 considered to be a redundant Solution? Why? How many disks can be used for RAID 1? How RAID 5 works?

What is the smallest number of disks required for RAID5? What other types of RAID do you know? What are the six steps for laser printing? What is the difference between PCI-EX x1 and PCI-EX x16?

Microsoft-based Operating Systems

What is the difference between a workgroup and a domain?

What are the major advantages of working in a domain model? What types of operating system installation methods do you know?

What is an answer file? How would you create an answer file for Windows XP? How would you create one for Windows Vista?

How do you perform an unattended installation on Windows XP?

What is Sysprep? How do you use Sysprep? What is the major difference between Newsid and Sysprep? What is the function of the pagefile.sys file?

What is the function of the hiberfil.sys file?

What is the Registry?

How can you edit the Registry? Name at least 3 ways of doing that. What should you do if you receive a message stating: "The following file is missing or corrupt:

'WINDOWS'SYSTEM32'CONFIG'SYSTEM"?

How would you repair an unsuccessful driver update?

When should you use each of the fallowing tools: System Restore, LKGC and Recovery Console? How do you set different print priority for different users? How can you reset user's passwords if you don't know his current password? What's the difference between changing a user's password and resetting it?

You want to grant a user the right to perform backups should you add him to the administrators

group? What is MMC?

PETRI


27/33

What is gpedit.msc? How would you use the MMC to manage other servers on your network?

You set a local policy for your Stand-alone XP Professional would the local policy effects theadministrators group?

What new in the Windows Vista Local Policy?

What is the difference between User Privileges and User Permissions? What is Safe Mode?

Which logs can be found in Event Viewer?

What is msconfig? On which OS can it be found? Can you upgrade XP Home Edition to Server 2003? Which permission will you grant a user for a folder he need to be able to create and delete files in, if

you do not want him to be able to change permissions for the folder? What is the difference between clearing the "allow" permission and checking the "deny"?

Networking

What is a NIC? What is a MAC Address? When would you use a crosslink cable?

What are the main advantages and disadvantages of Fiber-Optic-based networks? What is the difference between a Hub and a Switch?

On which OSI layer can a router be found? What is CSMA/CD? What is multicast?

What is Broadcast? What is the difference between TCP and UDP? Describe some of the settings that are added by TCP and by UDP to the packet's header.

What are TCP Ports? Name a few. What is a TCP Session?

What three elements make up a socket? What will happen if you leave the default gateway information empty while manually configuring

TCP/IP?

What will happen if you execute the following command: "arp d *"? What is ICMP?

When would you use the ping command with the "-t" switch?

What command-line tool would help you discover for which port numbers your computer is listening? What is APIPA? How would you recognize it?

What is a Cyclic Redundancy Check? What would you type in at a command prompt to view the IP settings for the computer that you are

sitting at? What command would you type in at a command prompt to view the IP address of the remote

computer?

What is the W Value for class B? What is the Net ID of an IP Address of 18.9.25.3 with Subnet Mask of 255.0.0.0? What is CIDR? What is 255.255.255.255 used for?

What is the maximum number of hosts for a Class B Network?

What is the (default) class type of 195.152.12.1? What is the subnet mask for 10.0.10.1/17? What is the result when changing from a subnet mask of 255.255.224.0 to a subnet mask of

255.255.240.0?

How can you access a shared folder from a remote computer? Name at least 3 methods.

PETRI


28/33

How to install Windows Server 2003 certificate services (enterprise root CA)

1. Place the Windows 2003 CD-ROM into the CD-ROM drive.2. Select Install optional Windows components.3. This action launches the Windows Components Wizard.4. On the Wizard Components page, select Certificate Services.5. Click Yes in the message dialog box that warns that you would not be able to modify the name of the

server.6. In the CA Type page, select Enterprise Root CA. Click Next.7. In the CA Identifying Information page, set the common name for the CA. This name will be used in

Active Directory, and in the enterprise.8. In the Validity Period boxes, enter the lifetime for the CA. Click Next.9. On the Certificate Database Settings page, verify that the locations specified for the database file and

log files are correct.10. At this stage IIS services are stopped, and the certificate service is installed and the CA databasestarted. IIS is restarted after this.11. Click OK when a message dialog box appears, warning that ASP must be enabled for Web enrollment.12. Click Finish.

How to use Web enrollment to request a certificate

1. Use Internet Explorer 5.0 or later to connect to the CA.2. In the Web browsers Address windows, enter http:// /certsrv, and press Enter.3. On the Certification Services Welcome page, click Request a Certificate.4. The following page presents the User certificate option with an Advanced Certificate Request option for

acquiring a smart card certificate.5. Click the Advanced Certificate Request option.6. When the Advanced Certificate Request page appears, click Create And Submit A Request To This CA.7. Select Web Server from the Certificate Template list box.8. Proceed to provide the necessary information in the Identifying Information For Offline Template

section of the page.9. Click Submit.

10. Click Yes if a message is displayed on a potential scripting violation.11. After the server processes the certificate, you are presented with a Certificate Issued page that allowsyou to install the certificate on the Web server.

12. Click Install This Certificate to complete the process.

How to install a stand-alone root CA

1. Click Start, Control Panel, and click Add Or Remove Programs.2. Select Add/Remove Windows Components in the Add Or Remove Programs dialog box.3. When the Windows Components Wizard starts, click Certificate Services, and click Details.4. In the Certificate Services dialog box, enable the Certificate Services CA checkbox, and enable the

Certificate Services Web Enrollment Support checkbox.5. Click Yes to the message warning that the name of the CA cannot be changed.6. Click OK to close the Certificate Services dialog box.7. Click Next in the Windows Components Wizard.8. When the CA Types page appears, select Stand-alone Root CA. Click Next.9. On the CA Identifying Information page, enter a name for the CA in the Common Name For This CA

box. Click Next.10. You can accept or change the default settings in the Certificate Database Settings page. Click Next.11. The certificate service is installed and the CA database started. IIS is restarted after this.12. Click OK if a message dialog box appears, warning that ASP must be enabled for Web enrollment.13. Click Finish.

An Overview on Certificate Templates

With a Windows PKI implementation, certificate templates are used to assign certificates, according to thepurpose for which they are to be used. Certificate templates can be defined as a set of rules and settings


29/33

which specify the content and format of certificates that are issued, based on intended use. You configurecertificate templates on the CAs within your PKI implementation. The certificate template is applied when auser requests a certificate from the CA. When a user requests a certificate, the user basically selects typesof certificates as specified by certificate templates. You should customize the default certificate templatesaccording to its intended use before you deploy them within your environment. The security requirements ofyour organization, ultimately determines which types of security templates should be deployed within yourorganization. Default certificates are provided for users, computers, code signing, and Encrypting File

System (EFS).

The certificate templates also stipulate how a valid certificate request should be submitted to the CA. Fromthis short discussion, you can conclude that certificate templates ease the management process ofcertificates, because it can be used to automate the process of issuing certificates, based on therequirements set by the Administrator. Windows Server 2003 includes the new auto-enrollment featurewhich allows for the issuing of User certificates when the user logs on to a Windows Server 2003 client.

Certificate templates are also used to manage whether security principals are allowed to enroll, auto-enroll,or read certificates, according to the particular certificate template. Each certificate template has an accesscontrol list (ACL) which specifies permissions for security principals for the particular certificate template.The Certificate Templates snap-in is used to define permissions for certificate templates.

Because different certificate templates can be used for different users, and they can be used by an

assortment of applications; you can define application policies. An application policy allows you to specifythe manner in which a certificate template can be used, and with what applications. In order to use acertificate template, the certificate template's definition has to be published in Active Directory, so that it isavailable to all CAs in your Active Directory forest. To enable this, certificate template information should bestored in Active Directory. Active Directory replication would distribute the certificate template's definition toeach CA within your PKI implementation.

Windows Server 2003 supports the following certificate template types:

* Version 1 Certificate Templates: With Version 1 certificate templates, all information within thecertificate template is hard-coded. What this basically means is that you cannot modify the properties ofthese certificate templates. In addition to this, you cannot remove Version 1 certificate templates either.You can however duplicate these certificate templates. Support for Version 1 certificate templates isincluded in Windows Server 2003 for backward compatibility for servers running Windows 2000 operating

systems. Version 1 certificate templates can be used by Windows 2000 and Windows XP clients.* Version 2 Certificate Templates: This certificate template type improves on the shortcoming of Version

1 certificate templates, which prevented Administrators from modifying existing certificate templatesproperties. By default, when the initial CA is installed in a forest, Version 1 certificate templates are created.Version 2 certificate templates are created when you duplicate Version 1 certificate templates. Computersrunning Windows 2000 and Windows XP are unable to issue certificates using Version 2 certificatetemplates. Computers running Windows Server 2003 Enterprise Edition and Windows Server 2003Datacenter Edition can issue certificates which are based on Version 2 certificate templates.

The methods which can be used to modify an existing version 2 certificate template are listedbelow:

* You can directly modify the original Version 2 certificate template: You can use the new WindowsServer 2003 capability, and change the properties of Version 2 certificate templates. After the modifications

are done, new enrollees would be issued certificates, based on the new settings. The Certificate Templatessnap-in can be used to re-issue the particular certificate to users that have formerly been issued thecertificate, based on the prior Version 2 certificate template.

* You can supersede Version 2 certificate templates: When you supersede a Version 2 certificatetemplate, you replace the certificate template with a new one. This method is also used when changes needto be made to version 1 certificate template. You basically have to supersede the certificate template with aversion 2 certificate template.

As mentioned preciously, Windows Server 2003 includes default user certificate templates. These certificatetemplates are Version 1 certificate templates, and are listed below:


30/33

* Administrator; used for user authentication, secure e-mail, EFS encryption, and certificate trust listsigning.

* Authenticated Session; used to authenticate users to a Web server.* Basic EFS; used for encrypting and decrypting data through EFS encryption.* Code Signing; used to digitally sign software code.* EFS Recovery Agent;for decrypting files which were encrypted with EFS encryption.

* Enrollment Agent; for requesting certificates for other users.* Exchange Enrollment Agent (Offline request); for requesting certificates for other users the name of

the user is provided in the request.* Exchange Signature Only; used by the Exchange Key Management Service to issue certificates to

Exchange Server users, for the purpose of digitally signing e-mail.* Exchange User; used by the Exchange Key Management Service to issue certificates to Exchange

Server users, for the purpose of encrypting e-mail.* Smartcard Logon; used for the authentication of users through smart card logon.* Smartcard User; used for the authentication of users through smart card logon, and for the encryption

of e-mail. Also used to digitally sign e-mail.* Trust List Signing; used to digitally sign a trust list.* User; used by users for client authentication, EFS, and e-mail.* User Signature Only; used by users to digitally sign data.

Windows Server 2003 also includes default computer certificate templates. Some of these certificatetemplates are Version 1 certificate templates, while others are Version 2 certificate templates:

* CA Exchange (Version 2); for storing those keys used for private key archival.* CEP Encryption (Version 1; enables the computer to serve as a registration authority for Simple

Certificate Enrollment Protocol (SCEP) requests.* Computer (Version 1); enables client and server authentication abilities for the computer.* Domain Controller Authentication (Version 2); for the authentication of Active Directory computers and

users.* IPSEC (Version 1); enables authentication for computers through the use of IP Security (IPSec).* IPSEC (Offline request) (Version 1); used by IPSec to encrypt and decrypt, and digitally sign messages.* RAS and IAS Server (Version 2); provides Remote Access Services and Authentication Services servers

with the ability to authenticate with other computers.* Router (Offline request) (Version 1); utilized by routers when requested via SCEP from a CA owning a

Certificate Enrollment Protocol (CEP) Encryption certificate.* Web Server (Version 1); used to authenticate the Web server to clients.* Workstation Authentication (Version 2); allows client computers to authenticate to servers.

A few other default templates are also available in Windows Server 2003:

* Cross-Certification Authority; used for cross-certification, and also for qualified subordination.* Directory E-mail Replication; used for the replication of e-mail within Active Directory.* Domain Controller; enables client and server authentication abilities for the computer.* Key Recovery Agent; used to recover archived private keys on the CA.* Root Certification Authority and Subordinate Certification Authority; used to verify the identities of

these CAs.

As mentioned previously, the permissions defined on certificate templates determine what actions security

principals can perform on the certificates.

* Full Control; enables the security principal to change all the proprieties and permissions of thecertificate template.

* Write; enables the security principal to change all the proprieties of the certificate template. Thesecurity principal is not allowed to change the permissions of the certificate template.

* Read; enables the security principal to locate the certificate template in Active Directory for theenrollment of certificates.

* Enroll; enables the security principal to enroll for a certificate. The security principal also needs theRead permission for the certificate template.

* Autoenroll; enables the security principal to use auto-enrollment to obtain a certificate. The securityprincipal also needs the Read permission and Enroll permission.


31/33

1. Windows Server 2003 IIS and Scripting interview questions

2. What is presentation layer respons ible for in the OSI model?The presentationlayer establishes the data format prior to passing it along to the network applicationsinterface. TCP/IP networks perform this task at the application layer.

3. Does Windows Server 2003 support IPv6?Yes, run ipv6.exe from command lineto disable it.

4. Can Windows Server 2003 function as a bridge? Yes, and its a new feature forthe 2003 product. You can combine several networks and devices connected viaseveral adapters by enabling IP routing.

5. Whats the difference between the basic disk and dynamic disk?The basic typecontains partitions, extended partitions, logical drivers, and an assortment of staticvolumes; the dynamic type does not use partitions but dynamically managesvolumes and provides advanced storage options

6. Whats a media pool?It is any compilation of disks or tapes with the sameadministrative properties.

7. How do you install recovery console? C:\i386\win32 /cmdcons, assuming that yourWin server installation is on drive C.

8. Whats new in Terminal Services for Windows 2003 Server?Supports audiotransmissions as well, although prepare for heavy network load.

9. What scripts ship w ith IIS 6.0?iisweb.vsbto create, delete, start, stop, and list Websites, iisftp.vsbto create, delete, start, stop, and list FTP sites, iisdir.vsbto create,delete, start, stop, and display virtual directories, iisftpdr.vsbto create, delete, start,stop, and display virtual directories under an FTP root, iiscnfg.vbsto export and

import IIS configuration to an XML file.

10. Whats the name of the user who connects to the Web site anonymously?IUSR_computername

11. What secure authentication and encryption mechanisms are supported by IIS6.0?Basic authentication, Digest authentication, Advanced digest authentication,Certificate- based Web transactions that use PKCS #7/PKCS #10, Fortezza, SSL,Server-Gated Cryptography, Transport Layer Security

12. Whats the relation between SSL and TLS?Transport Layer Security (TLS)extends SSL by providing cryptographic authentication.

13. Whats the role of http.sys in IIS?It is the point of contact for all incoming HTTPrequests. It listens for requests and queues them until they are all processed, nomore queues are available, or the Web server is shut down.

14. Wheres ASP cache located on IIS 6.0?On disk, as opposed to memory, as i t usedto be in IIS 5.

15. What is socket pooling?Non-blocking socket usage, introduced in IIS 6.0. Morethan one application can use a given socket.


32/33

16. Describe the process of clustering w ith Windows 2003 Server when a new nodeis added.As a node goes online, it searches for other nodes to join by polling thedesignated internal network. In this way, all nodes are notified of the new nodesexistence. If other nodes cannot be found on a preexisting cluster, the new nodetakes control of the quorum resources residing on the shared disk that contains stateand configuration data.

17. What applications are not capable of performing in Windows 2003 Serverclusters? The ones written exclusively for NetBEUI and IPX.

18. Whats a heartbeat?Communication processes between the nodes designed toensure nodes health.

19. Whats a threshold in clus tered environment? The number of times a restartis attempted, when the node fails.

20. You need to change and admin password on a clustered Windows box, butthat requires rebooting the cluster, doesnt it?No, it doesnt. In 2003environment you can do that via cluster.exe utility which does not require rebooting

the entire cluster.

21. For the document of size 1 MB, what size would you expect the index to bewith Indexing Service?150-300 KB, 15-30% is a reasonable expectation.

22. Doesnt the Indexing Service introduce a security flaw when allowing accessto the index?No, because users can only view the indices of documents andfolders that they have permissions for.

23. Whats the typical size of the index? Less then 100K documents - up to 128 MB.More than that - 256+ MB.

24. Which characters should be enclosed in quotes when searching the index?&,@, $, #, ^, ( ), and |.

25. How would you search for C++?Just enter C++, since + is not a special character(and neither is C).

26. What about Barnes&Noble?Should be searched for as Barnes&Nob

27. Are the searches case-sensi tive? No.

28. Whats the order of precedence of Boolean operators in Microsoft Windows2003 Server Indexing Service?NOT, AND, NEAR, OR.

29. Whats a vector space query? A multiple-word query where the weight can beassigned to each of the search words. For example, if you want to fight information onblack hole, but would prefer to give more weight to the word hole, you can enterblack[1] hole[20]into the

30. search window.


33/33

31. Are the searches case-sensi tive? No.

32. Whats the order of precedence of Boolean operators in Microsoft Windows 2003Server Indexing Service?NOT, AND, NEAR, OR.

33. Whats a vector space query? A multiple-word query where the weight can be assignedto each of the search words. For example, if you want to fight information on black hole,but would prefer to give more weight to the word hole, you can enter black[1] hole[20]into the

34. search window.

35. Whats a response queue?Its the message queue that holds response messages sentfrom the receiving application to the sender.

36. Whats MQPingused for?Testing Microsoft Message Queue services between thenodes on a network.

37. Which add-on package for Windows 2003 Server would you use to monitor theinstalled software and license compliance?SMS (System Management Server).

38. Which service do you use to set up various alerts?MOM (Microsoft OperationsManager).

39. What languages does Windows Scripting Hostsupport?VB, VBScript, JScript.