Cloud Infrastructure Services - Windows - AD - Q&A
Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities. With an IAM framework in place, information technology (IT) managers can control user access to critical information within their organizations. Systems used for IAM include single sign-on systems, two-factor authentication, multifactor authentication and privileged access management. These technologies also provide the ability to securely store identity and profile data as well as data governance functions to ensure that only data that is necessary and relevant is shared.
What is Microsoft identity access management?
Microsoft Identity Manager -- also called Microsoft Identity Manager 2016 or MIM -- is an on-premises tool that enables organizations to manage access, users, policies and credentials.
What is Privileged Access Management (PAM)?
In a technology environment, privileged access refers to accounts with elevated capabilities beyond regular users. For example, in a Linux environment, the root user can add, amend or delete users; install and uninstall software and access restricted parts of operating systems that are off-limits to a standard user.
What is Azure AD Privileged Identity Management?
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.
What is Azure AD Connect?
Azure AD Connect is an on-premises Microsoft application that's designed to meet and accomplish your hybrid identity goals. If you're evaluating how to best meet your goals, you should also consider the cloud-managed solution Azure AD Connect cloud sync.
What is MIM?
Microsoft Identity Manager 2016 (MIM) is an on-premises, server-based synchronization engine. It synchronizes users’ digital identity data between systems. It’s the latest incarnation of an on-premises server-based Microsoft identity product which used to be called ForeFront Identity Manager 2010 R2 (FIM), and Identity Lifecycle Manager (ILM).
What is Microsoft PKI?
What is a PKI? A PKI is a set of services combined to form an infrastructure for the purpose securing applications. A PKI provides these services to applications: Secure and Manage Your Hybrid Microsoft Environment In One, Unified Solution.
What is ADFS?
Active Directory Federation Service (ADFS) is a software component developed by Microsoft to provide Single Sign-On (SSO) authorization service to users on Windows Server Operating Systems. ADFS allows users across organizational boundaries to access applications on Windows Server Operating Systems using a single set of login credentials.
ADFS makes use of the claims-based Access Control Authorization model to ensure security across applications using the federated identity. Claims-based authentication is a process in which a user is identified by a set of claims related to their identity. The claims are packaged into a secure token by the identity provider.
Explain what is SYSVOL?
The SysVOL folder keeps the server’s copy of the domain’s public files. The contents such as users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.
what is sysvol folder?
The term SYSVOL refers to a set of files and folders that reside on the local hard disk of each domain controller in a domain and that are replicated by the File Replication service (FRS). Network clients access the contents of the SYSVOL tree by using the following shared folders: NETLOGON.
where is sysvol folder located - C:\Windows\Sysvol\Domain folder
What is Windows KCC?
The Knowledge Consistency Checker (KCC) is a Microsoft Windows 2000 and Microsoft Windows Server 2003 component that automatically generates and maintains the intra-site and inter-site replication topology. You can disable the KCC's automatic generation of intra-site or inter-site topology management, or both.
What is KCC?
The KCC is a built-in process that runs on all domain controllers and generates replication topology for the Active Directory forest. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite).
What is LDAP for? What is LDAP?
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate data about organizations, individuals and other resources such as files and devices in a network -- whether on the public Internet or on a corporate Intranet.
LDAP (Lightweight Directory Access Protocol) is an open and cross platform protocol used for directory services authentication. LDAP provides the communication language that applications use to communicate with other directory services servers.
What is FSMO used for?
Flexible single master operation (FSMO) is a Microsoft Active Directory feature that is a specialized domain controller task used when standard data transfer and update methods are inadequate.
FSMO Roles: What do They do?
FSMO gives you confidence that your domain will be able to perform the primary function of authenticating users and permissions without interruption (with standard caveats, like the network staying up).
Schema Master FSMO Role
The Schema Master role manages the read-write copy of your Active Directory schema. The AD Schema defines all the attributes – things like employee ID, phone number, email address, and login name – that you can apply to an object in your AD database.
Domain Naming Master FSMO Role
The Domain Naming Master makes sure that you don’t create a second domain in the same forest with the same name as another. It is the master of your domain names. Creating new domains isn’t something that happens often, so of all the roles, this one is most likely to live on the same DC with another role.
RID Master FSMO Role
The Relative ID Master assigns blocks of Security Identifiers (SID) to different DCs they can use for newly created objects. Each object in AD has an SID, and the last few digits of the SID are the Relative portion. In order to keep multiple objects from having the same SID, the RID Master grants each DC the privilege of assigning certain SIDs.
PDC Emulator FSMO Role
The DC with the Primary Domain Controller Emulator role is the authoritative DC in the domain. The PDC Emulator responds to authentication requests, changes passwords, and manages Group Policy Objects. And the PDC Emulator tells everyone else what time it is! It’s good to be the PDC.
Infrastructure Master FSMO Role
The Infrastructure Master role translates Globally Unique Identifiers (GUID), SIDs, and Distinguished Names (DN) between domains. If you have multiple domains in your forest, the Infrastructure Master is the Babelfish that lives between them. If the Infrastructure Master doesn’t do its job correctly you will see SIDs in place of resolved names in your Access Control Lists (ACL).
Infrastructure Master role in Global Catalog Server
The infrastructure master compares objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master role is also a global catalog it won’t ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself.
If every DC in the Domain is also global catalog server there’s no job for the IM since the GC already knows about the objects of other domains. So the following infrastructure is a valid configuration:So in short:
The Infrastructure Master is not supposed to configure on a Global Catalog Server if:
There are multiple domains
Domain Controllers in the same Domain are not Global Catalog Servers
The Infrastructure Master is allowed to run on a Global Catalog Server if:
There’s only one Domain in the Forest
Every Domain Controller in the Domain is Global Catalog Server
tombstone lifetime in ad - The default tombstone lifetime is 60 days.
1. What do you mean by Active Directory?
An active directory is an index structure used on Microsoft Windows-based servers and computers to stock up data and information about domains and networks.
2. Name the default protocol used in directory services?
The non-payment protocol utilized in directory services is LDAP (Lightweight Directory Access Protocol).
3. Define SYSVOL?
The SysVOL file keeps the server’s copy of the domain’s public files. The fillings such as users, group policy, etc. of the SysVOL folders are simulated to all area controllers in the domain.
4. Define the term FOREST in AD?
Forest is used to describing a congregation of AD domains that split a separate schema for the AD. All DC’s in the forest share this plan and is practical in a hierarchical fashion among them.
5. What is Kerberos?
Kerberos is a verification protocol for the network. It is built to present secure verification for client applications by using secret-key cryptography.
6. What do you mean by lingering objects?
Lingering objects can exist if a field controller does not duplicate for a gap of time that is longer than the gravestone lifetime.
7. Define Active Directory Schema?
Schema is a lively directory constituent describes all the objects and attributes that the directory service uses to amass data.
8. Name the components of AD?
The components of AD are:
• Physical Structures: Domain controller and Sites
• Logical Structure: Trees, Forest, Domains and OU
9. Define Infrastructure Master?
Infrastructure Master is answerable for updating information about the customer and group and universal catalogue.
10. Define the domain?
A domain is a place of network resources for a collection of users. The user needs only to log in to the domain to increase access to the resources, which may be situated on a number of several servers in the network.
11. Explain subnet?
In computer networks based upon the Internet Protocol Suite, a subnetwork is a piece of the network’s computers and network campaign that have a widespread elected IP address routing prefix.
12. What do you mean by organizational units?
The Organizational Unit is a serious design factor impacting policy, security, competence and the charge of administration. Organizational Units are a kind of LDAP (X.500) pot. It can be a reflection of as a sub-domain element with comparable properties to domains.
13. What do you mean by Active Directory Recycle Bin?
Active Directory Recycle bin is a characteristic of Windows Server 2008 AD. It helps to re-establish by chance deleted Active Directory objects without using a backed-up AD database, rebooting area controller.
14. Tell me the purpose of replication in AD?
The reason for replication is to share out the data stored within the index throughout the organization for amplified availability, performance, and data defense. Systems administrators can tune duplication to occur based on their physical network communications and other constraints.
15. Define Mixed Mode?
Allows domain controllers operation both Windows 2000 and previous versions of Windows NT to co-exist in the area. In mixed mode, the domain features from preceding versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed in mixed mode by non-payment. In a mixed way, the field may have Windows NT 4.0 backup domain controllers at hand.
16. Explain stale?
Stale refers to references to objects that have been stimulated so that the local copy of the distant object's name is out of date.
17. Define SID?
Security Identifier is an exceptional variable-length identifier used to recognize a trustee or refuge principal.
18. Do we use clustering in Active Directory? Why?
No one installs Active Directory in a bunch. There is no need for clustering a field controller. Active Directory provides total joblessness with two or more servers.
19. What is RID Master?
RID master refers for Relative Identifier for conveying exceptional IDs to the object shaped in AD.
20. What is child DC?
Child DC is a sub-area controller under the root domain controller which share a namespace.
21. What is the port no of Kerbrose?
The port no is 88
22. What is the port number of Global catalog?
The port number of the global catalog is 3268
23. Tell me the port no of LDAP?
The port no of LDAP is 389
24. If I try to look schema, how can I do that?
List schmmgmt.dll using this command:
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc --> add snapin --> add Active directory schema
name it as schema.msc
Open administrative tool --> schema.msc
25. Define Native Mode?
When all domain controllers in a given area are consecutively Windows 2000 Server, this way permits organizations to take the lead of new Active Directory features such as worldwide groups, inter-domain group membership and nested group membership.
Mention what system state data contains?
System state data contains
Contains startup files
Registry
Com + Registration Database
Memory page file
System files
AD information
SYSVOL Folder
Cluster service information
List the ports used by Active Directory?
Below is the list of ports that are used by Active Directory
RPC endpoint mapper: port 135 TCP, UDP
NetBIOS name service: port 137 TCP, UDP
NetBIOS datagram service: port 138 UDP
NetBIOS session service: port 139 TCP
SMB over IP (Microsoft-DS): port 445 TCP, UDP
LDAP: port 389 TCP, UDP
LDAP over SSL: port 636 TCP
Global catalog LDAP: port 3268 TCP
Global catalog LDAP over SSL: port 3269 TCP
Kerberos: port 88 TCP, UDP
DNS: port 53 TCP, UDP
WINS resolution: port 1512 TCP, UDP
WINS replication: 42 TCP, UDP
RPC: Dynamically-assigned ports TCP, unless restricted
https://www.varonis.com/blog/tag/active-directory
https://learning.shine.com/talenteconomy/interview-questions/active-directory-interview-questions/
Comments
Post a Comment