Windows Server Engineer – top 50 interview questions

Top 50 Windows Server interview questions
Top 50 Windows Server interview questions

Are you tired of your current job and looking for a new position as a Windows Server Engineer/Administrator? Maybe you’re working for a long time with Microsoft’s Server technologies and want to make sure if your knowledge is up to date? Let’s see, what are the 50 most common questions you can be asked during the Windows Server Administrator. 

This is only the first of the series of entries, related to IT interview questions. I am also preparing a list of questions for Microsoft 365 Administrator interviews, so consider liking my page on Facebook to be informed about new entries? 🙂 

1. Please provide a difference between Standard and Datacenter editions of Windows Server 2019

The most important difference between editions of Windows Server 2019 is related to the amount of Virtual Machines, you can create using one license.
Standard Edition allows being installed as 2 guests + One Hyper-V host.
Datacenter Edition allows being installed on an unlimited amount of guests + One Hyper-V host.
There is only one service – Network Controller which is not available on Standard Edition Server.

2. Please explain the difference between Server Core Installation and Server with a Desktop Experience

Server Core Installation provides minimal installation option, allowing to use most of the server roles. It can be managed using local scripts/Powershell and remote management tools. It is not offering a Graphical User Interface.
Server with a Desktop Experience provides full GUI experience and all of the supported features.

3. Which hardware platforms are supported by Windows Server 2019?

Windows Server 2019 supports only x86-64, also known as AMD64 platform.

4. Please explain differences in update branches available currently

Long-Term Servicing Channel (LTSC) – a new version is released every 2-3 years and contains the current state of Windows codebase (an example is Windows Server 2016/Windows Server 2019). Provides 5 years of mainstream support and another 5 of extended one.
Semi-Annual Channel (SAC) – a new version of the system is released every 6 months and is available only through Software Assurance Agreement and cloud customers. Provides 18 months of support.

5. Please name all 5 of FSMO roles, and divide them by their uniqueness

Roles unique to the forest:
Schema Master
Domain Naming Master

Roles unique to the domain:
PDC Emulator
RID Master
Infrastructure Master

6. What is Active Directory?

Active Directory is a set of services related to identity, directory services, certificates and right management. Consist of the following modules:
ADDS – Active Directory Domain Services,
ADLDS – Active Directory Lightweight Domain Services,
ADCS – Active Directory Certificate Services,
ADFS – Active Directory Federation Services,
ADRMS Active Directory Rights Management Services.

7. Explain logical structure of Active Directory environment

Active Directory divides into main structures: forests and domains.
Forest is a collection of one or more AD Domains and allows to share common logical structure, schema, directory configuration and Global Catalog. All domains within one forest are connected in a two-way trust relationship.
The domain is a partition within the forest. Active Directory Domains allow organizations to divide data replication into limited locations. Additionally, domains provide user identity, authentication, authorization and replication between Domain Controllers.
Domains are divided into Organizational Units. Each OU allows to further divide objects into more logical groups, like users, computers, printers, groups, contacts. OU structure also helps with Group Policy Management.

8. Explain the difference between different types of groups in Active Directory

Distribution groups – distribution groups are used to manage email distribution lists within Exchange Environment.
Security groups – security groups are used to assign permissions to shared resources, like directories, files, access to remote machines.

9. What type of domain scopes you know and what are differences between them?

Universal – Can contain members from any domain in the same forest.
Global – Can contain members from the same domain.
Domain Local – Can contain members from any domain or trusted domain.

10. Which command will you use to troubleshoot problems with Windows Time service?

W32tm, good starting point will be to use /query switch.

11. What are the requirements to use Active Directory Recycle Bin and which tool will you use to recover object.

First of all, to make possible to use Active Directory Recycle Bin, the forest and domain functional level must be set to Windows Server 2008 R2 or higher.
To recover objects from ADRB you need to use Active Directory Administrative Center.

12. Is it recommended to virtualize all Domain Controllers in one domain?

No, it is not recommended to virtualize all Domain Controllers. Recommended way is to have at least one physical DC, which should be configured as a time server. Virtualization of the DC also virtualizes time, and can cause issues with Kerberos authentication.

13. Explain what Group Policy Objects (GPO) are and why we are using it?

GPO is a set of policies applied to one or more OU in Active Directory. The policies can include specified system settings, restrictions in usage of selected applications, personalization of the systems like set wallpaper or lock screens. GPO can also manage software installation by applying MSI or ZAP packages to the servers and clients.

14. What is the GPO processing order?

Local GPO.
GPO linked to Site.
GPO linked to Domain.
Policies linked to OU.

15. Explain what the LDAP is

LDAP – Lightweight Directory Access Protocol – is a service allowing to access directory services like Active Directory. By using standardized queries it allows us to get, add, delete pieces of information from a given directory. LDAP can be also used for authentication and authorization of the users.

16. What is an attribute in Active Directory?

Attribute in Active Directory is a single value assigned to the object, representing one of respective fields. Example of attribute can be CanonicalName, ProxyAddress, etc.

17. Why do may need to extend the Active Directory Schema and how to do it?

Extension of Active Directory Schema is necessary for installing some of the services, like Microsoft Exchange Server or Microsoft System Center Configuration Manager. To extend the schema we are using ADSI Editor.

18. How you will get all properties of the UserA object in Active Directory using Powershell?

Get-ADUser -Identity UserA -Properties *

19. Please explain purpose of DNS Service and how it influences with Active Directory?

Domain Naming Service is responsible for managing domain-to-IP mapping. Also provides informations about location of mail servers, service locators, pointers to services and other types of information, like verification codes.
Active Directory using DNS as Domain Controller location mechanism. Every time an AD operation is performed, machines within the network are using DNS server to locate the Domain Controller.

20. What the DHCP server is and how can you configure it in Windows Server?

Domain Host Control Protocol is a service responsible to dynamically provide required informations to the machines within network. Informations includes IP address, gateway server, DNS servers, can also include informations regarding PXE service, telephone configuration servers and much more. In Windows Servers we are configuring DHCP Server by first assigning static IP address to network adapter, on which we will serve service. Next step is to install DHCP server role and configure DHCP Scopes with respective addressation and options.

21. What are the SID Identifiers

SID – Security Identifier is unique ID number, used by devices within domain environment to identify users. Windows uses SID instead of usernames, to ensure that exact identity of user is used. SID is generated during account creation in the domain. Design of the SID allows users to change their names without changing single identity within the given domain.

22. Please explain Superscope

Superscope is an administrative feature of DHCP server, allowing to merge individual scopes into one manageable object. That allows to simplify management of the scopes, giving administrator abilities to configure options of multiple scopes in one place.

23. Explain the difference between Full Access and Modify access right

Modify access right allows to perform all operations on the objects, like editing content, creating, deleting.
Full Access allows to perform the same actions as modify, but additionally allows to edit file permissions and taking the ownership of the object.

24. What is Round Robin in DNS server?

Round Robin DNS allows to spread traffic to the dedicated service by providing clients different response for the same query, when DNS is asked to provide information. We can create such entries by creating multiple records of the same type with different values.

25. Which built-in tools you will use to troubleshoot replication between Domain Controllers?

Troubleshooting connectivity between DC should begin with basic network troubleshooting:
– Check if there is network connectivity by running PING to the gateway
– Perform a check if there is connectivity between TRACERT command to second DC
– Check DNS Health by running DCDIAG /TEST:DNS /e /v
– Check AD Replication Health by running REPLADMIN /SHOWREPL command.

26. What will happen if FSMO roles became unavailable?

It depends on the role:
– Infrastructure Master – If Infra Master role is unavailable, objects from remote domains will be displayed as SID identifiers and not their names.
– RID Master – Domain Controllers will not be able to generate new SIDs, when they will be exhausted of their RID pools (Each DC stores a batch of 500 RIDs before getting new identifiers from RID Master)
– PDC Emulator – There will be issues with user logons, changing the passwords will work only within single Domain Controller. Ability to share time between devices will also be lost.
– Domain Naming Master – if the role is unavailable we will lost ability to add, modify and delete domains within the forest.
– Schema Master – if the role is unavailable, any modifications to Active Directory Schema will not be possible.

27. What can you do to move the FSMO role to another server?

To perform movement of the FSMO role to another domain controller we need to ensure that we are members of one of following groups (Enterprise Admin, Schema Admin, Domain Admin). Then we can use Active Directory Users and Directory snap-in. Within the domain, we right-click on the domain and choosing option Operations Master. From the window we can manage on which DC specified FSMO roles are.
Another method is to use NTDSUtil, where we are choosing roles, then connections, entering target server and choosing the options.

28. Which 2 FSMO roles holders servers can be brought online after seizing roles to another machines?

PDC Emulator
Infrastructure Master

29. How would you check which upgrades are installed on Windows Server 2019?

Basically, we can do it in a few ways:
– Checking in Programs And Features Control Panel applet
– With Get-Hotfix cmdlet
– Using sconfig.cmd script
– Using Wuauclt client

30. What is a purpose of Active Directory Sites and Services?

Active Directory Sites and Services helps with the management of multiple branches within the organization. Thanks to Sites we can put separate Domain Controllers in branch offices, reducing traffic to be sent via the Internet and speeding the logging process. Also, we can reduce security risks by synchronizing only part of the directory, related only to the specific branch.

31. How would you limit the disk storage on one volume for the users and how can you control current usage?

By using the Quota Management feature. On the Disk Properties, we are enabling Quota management for the drive and configure limit available to the user. Then in the tray icon, we will have a menu for viewing Quota.

32. Which command would you use to check current Windows Server activation status?

slmgr.vbs /dlv

33. How can you revoke one of the published certificates in Windows CA?

You need to open Certificate Authority snap-in within MMC Console. Then you are selecting issuing CA, go to the Issued Certificates, finding certificate, doing right-click and choosing Revoke.

34. Explain the difference between GPT and MBR

GPT – Allows to create an unlimited amount of partitions, Volume size 256 TB, not supported before Windows Server 2008, additional security.
MBR – Allows to create 4 partitions (4 primary or 3 primary and one extended), Volume limit 2TB, supported on all computer systems.

35. What is RAID, can you please explain differences between types?

RAID – Redundant Array of Independent Disk is a technology, which allows multiple disks to work as one. Disks can be merged in many different ways, allowing them to have higher security or higher performance. In fact, both of the options can be achieved together.
Stripe – RAID 0 – Simplest RAID system, helping to achieve higher read and save performance. Data are put in chunks on different volumes. The disadvantage is that the failure of one disk means all of the data are lost.
Mirror – RAID 1 – Very simple RAID system, helping to achieve much better security, by writing the same data to 2 or more disks simultaneously. In the case of one disk failure, a copy of the disk is available.
RAID 5 – Data are being randomly divided between all disks in the array. All the disks contain chunks of data together with checksums of the data stored on each of the drivers. In the case of disk failure, data can be restored by replacing the failed drive and rebuilding the array.
RAID can be defined physically – on the disk controller level, or logically within Operating System.

36. How can you promote server to become Domain Controller?

With Windows Server 2019 recommended method is to use a PowerShell Script Install-ADDSDomain Controller or using the Add Roles and Services, installation of Active Directory Domain Services role, and promote the server to a domain controller. Microsoft no longer recommends the DCPromo.exe application, however, it can still be used.

37. Please explain the role of DNS Forwarders in Windows Server

DNS Forwarders are list of DNS servers which can be used to resolve DNS Query. In the case of current DNS server doesn’t know what the address of provided query, it will forward the query to the first of the following servers on the list to check if the server know the DNS record. That action will be performed in recurrent way, until data for the record are found or list of forwarders will be exhausted.

38. How can you install software on domain-joined computers?

By having MSI or ZAP packages, software can be deployed via Group Policy Objects. If files are available on the network share accessible to clients, a logon scripts can be used to install the files as well. External Software, like Microsoft System Center Configuration Manager can be also used to perform the task.

39. What is RSoP?

RSoP – Resultant Set of Policies gives Administrator view of applied GPO policies on the machine, greatly helping with GPO troubleshooting. As GPO troubleshooting can be also performed using GPResult from a local machine, RSoP allows us to do a troubleshooting from the Group Policy Management console.

40. How can you manage Windows Server services from the another machine?

If the another machine is also Windows Server, we can use Server Manager application, which allows to create server pools and manage them from one place. Other ways to manage include installing RSAT toolset, which installs MMC snap-ins for remote Windows Server machines.

41. What is Windows Admin Center?

Windows Admin Center is a web-based tool to manage Windows computers. It offers simplified way to manage servers and desktops in the environments, providing access to the most common resources, like services, certificates, RDP and machine statistics. It can work in different ways, as a single instance installed on the local machine or as a gateway server installed on the application server.

42. Please explain the virtualization technology built-in in Windows Server

Built-in virtualization technology in Windows Server is Microsoft Hyper-V. Available for free in both Windows and Windows Server, allows to virtualize X86 platform on the physical machines. Hyper-V allows to virtualize network, provides support for Secure Boot, TPM and is well aligned to current version of Windows.

43. How would you disable TLS 1.0 and TLS 1.1 protocols in Windows Server installation?

By setting the registry key values. Alternatively we can use IISCrypto tool, which also helps with secure security ciphers.

44. What is a RODC?

RODC is a Read-Only Domain Controller, introduced in Windows Server 2008. The main purpose is to help with managing network load and putting DC in locations, which may be vulnerable. We can limit amount of data shared to RODC and invalidate it when it will become compromised. RODC also helps with DNS queries as can help resolving addresses without pushing them to RWDC, which can be put on the other side of the world.

45. What actions are supported by RODC?

A Read-Only AD DS database, one-side replication, replication only limited attributes, limit credential caching, separation of management, read-only DNS.

46. Explain the difference between Domain Administrator and Enterprise Administrator

Domain Administrator have full administration permissions within a Domain, while Enterprise Administrator can manage things in the Forest and all member domains.

47. How can you get assistance for PowerShell CMDLets?

By using Get-Help <CMDLet> command within Windows PowerShell

48. How can you check hostname of the machine, having only IP address

Using the NSLookup command. IP addresses of known hosts are stored by PTR records and can be found in Reverse Lookup Zone in DNS.

49. What is Single Sign-On process and which Active Directory component is being used to provide the functionality?

Single Sign-On process allows user to login to the different systems using the single identity, which is authenticated during user login. Identity is being confirmed via Active Directory Federation Services, which pass username and hash of the password to the application, which verifies the user identity using Active Directory Domain Services.

50. What is BitLocker?

BitLocker is disk encryption technology offered in Windows and Windows Server systems. BitLocker can use hardware-based TPM solutions as well as Active Directory to confirm user identity.

Do you have any suggestions, which Windows Server interview questions can be asked during technical meetings with the candidate? Tell me in the comments below and maybe I will do the second part of Windows Server questions. 

If you also have ideas, what other areas I should cover in the interview questions posts, please reach me on my Facebook – Arek Kożuch.

Arek Kożuch

Cześć, jestem Arek! Na co dzień informatyk, w wolnych chwilach pasjonat druku 3D, nowych technologii i ciągłego doskonalenia się. W życiu najbardziej cenię sobie radość i ludzi, którzy mnie otaczają każdego dnia.