Windows Server Engineer – top 50 interview questions

The most important difference between editions of Windows Server 2019 is related to the amount of Virtual Machines, you can create using one license.
Standard Edition allows being installed as 2 guests + One Hyper-V host.
Datacenter Edition allows being installed on an unlimited amount of guests + One Hyper-V host.
There is only one service – Network Controller which is not available on Standard Edition Server.

Server Core Installation provides minimal installation option, allowing to use most of the server roles. It can be managed using local scripts/Powershell and remote management tools. It is not offering a Graphical User Interface.
Server with a Desktop Experience provides full GUI experience and all of the supported features.

Windows Server 2019 supports only x86-64, also known as AMD64 platform.

Long-Term Servicing Channel (LTSC) – a new version is released every 2-3 years and contains the current state of Windows codebase (an example is Windows Server 2016/Windows Server 2019). Provides 5 years of mainstream support and another 5 of extended one.
Semi-Annual Channel (SAC) – a new version of the system is released every 6 months and is available only through Software Assurance Agreement and cloud customers. Provides 18 months of support.

Roles unique to the forest:
Schema Master
Domain Naming Master

Roles unique to the domain:
PDC Emulator
RID Master
Infrastructure Master

Active Directory is a set of services related to identity, directory services, certificates and right management. Consist of the following modules:
ADDS – Active Directory Domain Services,
ADLDS – Active Directory Lightweight Domain Services,
ADCS – Active Directory Certificate Services,
ADFS – Active Directory Federation Services,
ADRMS Active Directory Rights Management Services.

Active Directory divides into main structures: forests and domains.
Forest is a collection of one or more AD Domains and allows to share common logical structure, schema, directory configuration and Global Catalog. All domains within one forest are connected in a two-way trust relationship.
The domain is a partition within the forest. Active Directory Domains allow organizations to divide data replication into limited locations. Additionally, domains provide user identity, authentication, authorization and replication between Domain Controllers.
Domains are divided into Organizational Units. Each OU allows to further divide objects into more logical groups, like users, computers, printers, groups, contacts. OU structure also helps with Group Policy Management.

Distribution groups – distribution groups are used to manage email distribution lists within Exchange Environment.
Security groups – security groups are used to assign permissions to shared resources, like directories, files, access to remote machines.

Universal – Can contain members from any domain in the same forest.
Global – Can contain members from the same domain.
Domain Local – Can contain members from any domain or trusted domain.

W32tm, good starting point will be to use /query switch.

First of all, to make possible to use Active Directory Recycle Bin, the forest and domain functional level must be set to Windows Server 2008 R2 or higher.
To recover objects from ADRB you need to use Active Directory Administrative Center.

No, it is not recommended to virtualize all Domain Controllers. Recommended way is to have at least one physical DC, which should be configured as a time server. Virtualization of the DC also virtualizes time, and can cause issues with Kerberos authentication.

GPO is a set of policies applied to one or more OU in Active Directory. The policies can include specified system settings, restrictions in usage of selected applications, personalization of the systems like set wallpaper or lock screens. GPO can also manage software installation by applying MSI or ZAP packages to the servers and clients.

Local GPO.
GPO linked to Site.
GPO linked to Domain.
Policies linked to OU.

LDAP – Lightweight Directory Access Protocol – is a service allowing to access directory services like Active Directory. By using standardized queries it allows us to get, add, delete pieces of information from a given directory. LDAP can be also used for authentication and authorization of the users.

Attribute in Active Directory is a single value assigned to the object, representing one of respective fields. Example of attribute can be CanonicalName, ProxyAddress, etc.

Extension of Active Directory Schema is necessary for installing some of the services, like Microsoft Exchange Server or Microsoft System Center Configuration Manager. To extend the schema we are using ADSI Editor.

Get-ADUser -Identity UserA -Properties *

Domain Naming Service is responsible for managing domain-to-IP mapping. Also provides informations about location of mail servers, service locators, pointers to services and other types of information, like verification codes.
Active Directory using DNS as Domain Controller location mechanism. Every time an AD operation is performed, machines within the network are using DNS server to locate the Domain Controller.

Domain Host Control Protocol is a service responsible to dynamically provide required informations to the machines within network. Informations includes IP address, gateway server, DNS servers, can also include informations regarding PXE service, telephone configuration servers and much more. In Windows Servers we are configuring DHCP Server by first assigning static IP address to network adapter, on which we will serve service. Next step is to install DHCP server role and configure DHCP Scopes with respective addressation and options.

SID – Security Identifier is unique ID number, used by devices within domain environment to identify users. Windows uses SID instead of usernames, to ensure that exact identity of user is used. SID is generated during account creation in the domain. Design of the SID allows users to change their names without changing single identity within the given domain.

Superscope is an administrative feature of DHCP server, allowing to merge individual scopes into one manageable object. That allows to simplify management of the scopes, giving administrator abilities to configure options of multiple scopes in one place.

Modify access right allows to perform all operations on the objects, like editing content, creating, deleting.
Full Access allows to perform the same actions as modify, but additionally allows to edit file permissions and taking the ownership of the object.

Round Robin DNS allows to spread traffic to the dedicated service by providing clients different response for the same query, when DNS is asked to provide information. We can create such entries by creating multiple records of the same type with different values.

Troubleshooting connectivity between DC should begin with basic network troubleshooting:
– Check if there is network connectivity by running PING to the gateway
– Perform a check if there is connectivity between TRACERT command to second DC
– Check DNS Health by running DCDIAG /TEST:DNS /e /v
– Check AD Replication Health by running REPLADMIN /SHOWREPL command.

It depends on the role:
– Infrastructure Master – If Infra Master role is unavailable, objects from remote domains will be displayed as SID identifiers and not their names.
– RID Master – Domain Controllers will not be able to generate new SIDs, when they will be exhausted of their RID pools (Each DC stores a batch of 500 RIDs before getting new identifiers from RID Master)
– PDC Emulator – There will be issues with user logons, changing the passwords will work only within single Domain Controller. Ability to share time between devices will also be lost.
– Domain Naming Master – if the role is unavailable we will lost ability to add, modify and delete domains within the forest.
– Schema Master – if the role is unavailable, any modifications to Active Directory Schema will not be possible.

To perform movement of the FSMO role to another domain controller we need to ensure that we are members of one of following groups (Enterprise Admin, Schema Admin, Domain Admin). Then we can use Active Directory Users and Directory snap-in. Within the domain, we right-click on the domain and choosing option Operations Master. From the window we can manage on which DC specified FSMO roles are.
Another method is to use NTDSUtil, where we are choosing roles, then connections, entering target server and choosing the options.

PDC Emulator
Infrastructure Master

Basically, we can do it in a few ways:
– Checking in Programs And Features Control Panel applet
– With Get-Hotfix cmdlet
– Using sconfig.cmd script
– Using Wuauclt client

Active Directory Sites and Services helps with the management of multiple branches within the organization. Thanks to Sites we can put separate Domain Controllers in branch offices, reducing traffic to be sent via the Internet and speeding the logging process. Also, we can reduce security risks by synchronizing only part of the directory, related only to the specific branch.

By using the Quota Management feature. On the Disk Properties, we are enabling Quota management for the drive and configure limit available to the user. Then in the tray icon, we will have a menu for viewing Quota.

slmgr.vbs /dlv

You need to open Certificate Authority snap-in within MMC Console. Then you are selecting issuing CA, go to the Issued Certificates, finding certificate, doing right-click and choosing Revoke.

GPT – Allows to create an unlimited amount of partitions, Volume size 256 TB, not supported before Windows Server 2008, additional security.
MBR – Allows to create 4 partitions (4 primary or 3 primary and one extended), Volume limit 2TB, supported on all computer systems.

RAID – Redundant Array of Independent Disk is a technology, which allows multiple disks to work as one. Disks can be merged in many different ways, allowing them to have higher security or higher performance. In fact, both of the options can be achieved together.
Stripe – RAID 0 – Simplest RAID system, helping to achieve higher read and save performance. Data are put in chunks on different volumes. The disadvantage is that the failure of one disk means all of the data are lost.
Mirror – RAID 1 – Very simple RAID system, helping to achieve much better security, by writing the same data to 2 or more disks simultaneously. In the case of one disk failure, a copy of the disk is available.
RAID 5 – Data are being randomly divided between all disks in the array. All the disks contain chunks of data together with checksums of the data stored on each of the drivers. In the case of disk failure, data can be restored by replacing the failed drive and rebuilding the array.
RAID can be defined physically – on the disk controller level, or logically within Operating System.

With Windows Server 2019 recommended method is to use a PowerShell Script Install-ADDSDomain Controller or using the Add Roles and Services, installation of Active Directory Domain Services role, and promote the server to a domain controller. Microsoft no longer recommends the DCPromo.exe application, however, it can still be used.

DNS Forwarders are list of DNS servers which can be used to resolve DNS Query. In the case of current DNS server doesn’t know what the address of provided query, it will forward the query to the first of the following servers on the list to check if the server know the DNS record. That action will be performed in recurrent way, until data for the record are found or list of forwarders will be exhausted.

By having MSI or ZAP packages, software can be deployed via Group Policy Objects. If files are available on the network share accessible to clients, a logon scripts can be used to install the files as well. External Software, like Microsoft System Center Configuration Manager can be also used to perform the task.

RSoP – Resultant Set of Policies gives Administrator view of applied GPO policies on the machine, greatly helping with GPO troubleshooting. As GPO troubleshooting can be also performed using GPResult from a local machine, RSoP allows us to do a troubleshooting from the Group Policy Management console.

If the another machine is also Windows Server, we can use Server Manager application, which allows to create server pools and manage them from one place. Other ways to manage include installing RSAT toolset, which installs MMC snap-ins for remote Windows Server machines.

Windows Admin Center is a web-based tool to manage Windows computers. It offers simplified way to manage servers and desktops in the environments, providing access to the most common resources, like services, certificates, RDP and machine statistics. It can work in different ways, as a single instance installed on the local machine or as a gateway server installed on the application server.

Built-in virtualization technology in Windows Server is Microsoft Hyper-V. Available for free in both Windows and Windows Server, allows to virtualize X86 platform on the physical machines. Hyper-V allows to virtualize network, provides support for Secure Boot, TPM and is well aligned to current version of Windows.

By setting the registry key values. Alternatively we can use IISCrypto tool, which also helps with secure security ciphers.

RODC is a Read-Only Domain Controller, introduced in Windows Server 2008. The main purpose is to help with managing network load and putting DC in locations, which may be vulnerable. We can limit amount of data shared to RODC and invalidate it when it will become compromised. RODC also helps with DNS queries as can help resolving addresses without pushing them to RWDC, which can be put on the other side of the world.

A Read-Only AD DS database, one-side replication, replication only limited attributes, limit credential caching, separation of management, read-only DNS.

Domain Administrator have full administration permissions within a Domain, while Enterprise Administrator can manage things in the Forest and all member domains.

By using Get-Help <CMDLet> command within Windows PowerShell

Using the NSLookup command. IP addresses of known hosts are stored by PTR records and can be found in Reverse Lookup Zone in DNS.

Single Sign-On process allows user to login to the different systems using the single identity, which is authenticated during user login. Identity is being confirmed via Active Directory Federation Services, which pass username and hash of the password to the application, which verifies the user identity using Active Directory Domain Services.

BitLocker is disk encryption technology offered in Windows and Windows Server systems. BitLocker can use hardware-based TPM solutions as well as Active Directory to confirm user identity.