Your Microsoft Certified Solutions Expert certification has gotten you in the door, and you’re about to have an interview for what could be your dream job. Nice! But are you ready for what comes next? What kind of questions are you likely to be asked? Let’s find out!

Level 1: You want me to do what now?

  1. We have a new clustered application that will be coming online in the next several months and have been debating about whether to use Windows Server 2016 Standard or Datacenter. The new cluster may have to be multi-site, but we aren’t entirely sure yet. What do you think?

    For base level cluster functionality, Windows Server 2016 Standard and Datacenter versions will both do the same jobs. When scaling up, however, that’s really where Datacenter starts to shine. Datacenter is the only version that supports Storage Replica — a method of replicating data quickly from server to server without the potential massive expense of high-level storage appliances. For this reason specifically, when using geographically-separated cluster nodes it is definitely worth looking at Datacenter despite the additional cost. Finding out what additional resources would be available at each site would help tremendously when figuring out a final plan.

    2. We have inconsistent issues with resolving systems and websites in the domain in a specific physical network location. The networking hardware itself is clean, DNS has already been ruled out and the servers themselves are known good systems. What would you suggest looking at?

    ARP caching would absolutely be a good place to start looking for this issue. Where DNS resolves hosts-to-IP-addresses, ARP exists one step lower and resolves IP-addresses-to-MAC-addresses of individual systems. At the gateway of a network, requests come in all the time for different machines and routes them accordingly. If a request comes in for a machine that it doesn’t know where it is, it sends out a broadcast asking for a particular network card to speak up since it has a phone call. When that machine responds back, that entry will now be recorded in the ARP cache for future use and the data will keep flowing. The problem, however, lies in the way that certain routes may be entered as permanent static entries, but then the network is changed. Clearing or at least examining the ARP cache would be good idea to see if there are entries that need to be removed.

    3. You obviously spent quite a bit of time and money getting your MCSE certification. Do you think you’ll want to continue on to additional certifications?

    Obviously this is a very subjective question, but it absolutely is worth considering. Because MCSE can be considered a capstone certification from Microsoft, any other variants or related certifications would be specializations or potentially other vendor-neutral certifications. So the best question to ask yourself is: Where do you want to go from here?

    4. Our company has around two dozen reserved public IP addresses, one for each of our locations. Each of our locations connects back via a VPN tunnel to the main branch, and all servers have been relocated physically to our main branch office. Do we need to keep all of these additional IP addresses?

    With a VPN in place, it would be possible to connect all of the locations together in one giant network but keep the servers public-facing through the use of Network Address Translation (NAT). NAT is the cornerstone upon which every local network is built — an entire organization can operate behind a single public IP address, but effectively have as many private IP addresses as they could ever need in their own structure. In this way, a minimal number of public-facing IP addresses could be retained but still maintain all of the connectivity required for dozens or hundreds of servers accessible via the Web.

    5. What is DHCP? What are the benefits and drawbacks of using it? Is there a reason to keep certain applications with static IPs?

    Dynamic Host Configuration Protocol (DHCP) allows for the automatic issuing of IP addresses from a particular pool to systems asking for them. For the duration of a DHCP lease, that workstation will continue to have that IP address for use. But if it is no longer connected to the network when the lease expires, the IP address will be freed up for use on another system. In this way, the overall pool of addresses can be kept much smaller than if it was required to assign a unique address to every single device that ever connected to the network.

    Unfortunately, if anything happens to your DHCP server and systems are unable to obtain new leases, they will slowly start falling off of the network and be unable to reconnect. It is therefore highly recommended that any device that must remain accessible at all times, such as domain controllers or DNS servers for example, should receive a static IP outside of the DHCP scope. In this way, it will not take addresses away from regular users and prevent accidental IP conflicts.

    6. We have a test lab that needs to be off of our primary domain. Should we set this up as a workgroup or as a separate domain?

    This really depends on the purposes of the test environment. If it needs to be as close as possible to production without interfering with it, a domain very well may be your best bet. However, if it is just testing items to see if just need to function at all or if they do not require Windows authentication, a workgroup may be enough.The biggest reason to go with a workgroup initially would be a much smaller initial expense — none of the licensing or potential hardware purchases for a server system would be required. Gathering more information on what the applications they would be using to start with would be highly recommended.

7. Why did you spend the additional time and resources getting an MCSE instead of sticking with an MCSA?


While it used to take passing a good number of exams to obtain an MCSE, with the revised structure for the 2016 Generation, it is now possible to get an MCSE by passing just a single exam. It just depends on if that’s what you want to do.

8. How do you deal with around-the-clock support stress?

One thing that unfortunately comes with the territory of IT is the fact that you’re never really off the clock. The work/home balance that most other departments can experience usually doesn’t apply to us, so learning to deal with stress is a critical trick and will pay dividends for many years to come.

9. What is the Global Catalog?

The Global Catalog is a reference index of all objects in an Active Directory Forest. Any DC that has been authorized to be a Global Catalog server will have this replicated to them automatically. A critical aspect of the Global Catalog is while it has an index of all objects, it does not have all of the information on every object — the Domain Controllers in charge of that object will be the authority for up-to-date information. In this way, lookups can be quick but still point requests in the direction of the domain where the object actually lives.

10. How many migration projects have you lead?

Various organizations usually pick a version of Windows Server and stick with it for a considerable amount of time. This means that when that operating system starts to reach the End-of-Life status, these same organizations are going to have a considerable amount of work moving mission-critical applications to newer servers. Having experience with this absolutely is going to help.

Level 2: Group (policy) hug!

  1. We recently upgraded several users on one of our domains to a new version of Outlook. None of the upgraded users in the domain are able to have Exchange automatically set itself up based on their user account. What would you suggest looking at?

    Certain DNS entries enable programs to broadcast out their presence across the network. In certain situations such as Exchange, this means the use of the _AutoDiscover SRV entry. With this value present in a domain, users would automatically be pointed to the Exchange server for tasks such as setting up Outlook.

    12. Why is DNS required for Active Directory?

    Active Directory is identity-based, not IP-based. While each of the objects inside of Active Directory are given a Globally Unique Identifier (GUID), the actual identity of the object is based around the human-readable name. If you’ve ever come across situations where a server is not properly resolving GUIDs to user names in the domain, for instance, there are an awful lot of strange things that can happen.

    Being identity-based is one of the reasons why the name of a workstation must be set prior to joining a domain. Once a system is domain-joined, it can only be renamed by dropping it from the domain first.

    Please note, however, that if an account is deleted from within Active Directory, then even if another account is created with the same name it will not be automatically treated the same as the previous object. All permissions will be gone, and the GUID will be different.

    13. We’re going to be building a new domain from scratch but need to use a hand-me-down physical server to do so. What are the minimum services required for Active Directory to function properly that we would need to set up?

    At the absolute minimum, there are two specific elements required for Active Directory to function properly: a Domain Controller running Active Directory Domain Services, and a DNS server somewhere in the environment. If the domain will be a part of an existing tree, it may very well be possible to use an existing DNS server, so all it would need is the new Domain Controller.

    14. What’s the craziest work-related situation you’ve come across?

    Let’s face it, we ALL have that story along the lines of “…so then the guy brings in this workstation with a peanut butter and jelly sandwich stuck inside a disc drive.” Being able to make the interviewer laugh is a critical sign that, yes, you can get along with this person. As you go up the chain of command, character and personality become just as important as a person’s qualifications — it doesn’t matter if they are the smartest person on earth if the person hiring you can’t stand to be in the same room with you for more than five minutes.

    15. Our help desk is complaining about having to install new programs or make changes to each system every time something is approved from the IT department. How would you handle this?

    Group Policy would massively reduce the amount of time required for changes to administrative functions and new program installations. At its most basic definition, Group Policy is a common set of rules that apply to groups of users or computers within your organization. Through the use of Group Policy, as long as the settings are supported, you can push and manage the settings via a single point of reference.

    16. Due to an issue with a former employee, management has declared that all users can’t set custom wallpapers. Testing shows that the minute our help desk changed this on a user’s system, the user changed it right back. How would you handle this?

    Group Policy Objects (GPOs) can be set for pretty much any built-in Windows customization option. So you can set up a GPO for desktop color, wallpaper images (or lack thereof), what options appear in a Start Menu by default, or even if the clock is visible or not. Once the GPO is applied to a set of users or computers, the rules will begin propagating out to the affected systems automatically. Depending on the rules being applied, they may be able to make their changes live, require a logoff/logon of the user, or a full reboot. On top of this, in most situations users will not be able to override these settings, allowing for a true uniform look and feel for the entire organization.

    There are a ridiculous number of options available in Windows Server 2016 by default, with more being added with every Windows 10 update, and all of this before we even touch the idea of third-party administrative templates.

    17. Why would you want to block Group Policy Inheritance?

    We should probably take a step back and answer “What is Group Policy Inheritance?” first. When targeting an organizational unit with a GPO, by default all OUs below whatever level you assign it to will have that policy applied to them. However, there will always be situations where you expressly DON’T want anything non-critical to apply to specific users, servers or workstations. When this arises, you can enter Group Policy Management on one of your Domain Controllers, right-click on an OU that you want to block and select “Block Inheritance.”

    So why would you then want to override this setting? Because even though you want to block unknown policies from applying to this group, you may still want to have certain settings applied.

    18. Users have been complaining for months now that many of the websites they visit refuse to work with Internet Explorer. What alternatives have you run into that could work but still maintain company standards?

    Mozilla Firefox, Apple’s Safari and Opera have all made massive progress over the years in user compatibility and security, however most functions are not designed for a corporate environment. Google Chrome, on the other hand, does have an Enterprise edition available that can be used with Group Policy. Granted, Windows Server doesn’t ship with this support out of the box, but that’s where administrative templates can come into play. Through additional downloadable templates, you can add on support for items such as newer versions of Windows, Microsoft Office or even software from other vendors such as Google Chrome.

    19. Do you spend time with your team after-hours?

    This one is a bit of a trick question. If you’re going for a management position, they don’t necessarily want to hear this, but at the same time if you’re a team member they do want to know if you hang out with co-workers. For IT positions, this can mean anything from pub crawling to mini-golf or running a guild raid.

    20. What do you run on your network at home?

    While being able to learn new things at work is great for somebody interested in IT, but if you want to get down in the guts and tinker, you need to have your own setup. This means having a controlled environment that doesn’t matter if it accidentally blows up in a cloud of hard disk smoke and singed CAT-5 cables … most of the time.

Level 3: Work Smarter, Not Harder

  1. A new user claims they did not receive a GPO, yet their user and computer accounts are in the right OUs. What will you look for?

    The first thing to check will be the user’s AD permissions. If the user or their computer isn’t a member of the group that the GPO applies to, they will not receive it. If this isn’t the issue, then the next step will be to run the GPUpdate and GPResult utilities, which will help to see if a user’s workstation is or is not receiving the proper GPOs. Running a GPUpdate command will also show if there is a replication issue on the system that may indicate a larger issue at play in the network.

    22. You need to get a better idea of what IP addresses are talking to a particular server. What are a few ways you could do that?

    One of the easiest would be using the “netstat –nb” from the command prompt on the targeted server. This allows you to see which IP addresses are talking with this server, on what ports and with what programs (if available).

    This method will tell you who is talking, but if you need to see more specifically what they are talking about, you’ll want to use a piece of software more like Wireshark. This enables you to see far more accurately what is happening between the two systems, and when set up correctly can be a tremendous troubleshooting tool on a very broad scale on your network.

    However, if the amount of traffic going to the server makes these options less than ideal, enabling logging for a particular application may be the most realistic option. This can be exceptionally useful in cases such as Web and FTP servers.

    23. How do you unplug?

    The flip side of being always online, always connected and always on-call is spending time AWAY from all the technology. Whether this means going hunting or fishing, playing sports or going on a vacation where you have to pay through the nose for Internet access, everybody has to have some method to keep from overloading.

    24. How would you fix a Trust Relationship Error without dropping the machine from the domain?

    This particular issue pops up on every network once in a while. A user tries to log in one day and they receive an error upon entering their credentials: “The Trust Relationship between this workstation and the primary domain failed.” Most techs have come across this issue before, and the usual solution is simple — drop it from the domain and rejoin it. Two reboots later, the system is back online.

    However, there may be situations where not only is this option impractical, but the workstation or server in question cannot be rebooted anytime soon. There is a solution to this problem: resetting the computer account’s password. The fastest method to do this, if you have access to Active Directory, is to right click on the computer’s object in “Active Directory Users and Computers” and select “Reset Account.” As long as there are no other underlying issues, within a few moments the user should be able to log in again.

    25. We’re about to perform a complete overhaul of our forest. What are the critical DC operations that we need to look for?

    Flexible Single Master Operation Roles (FSMO) are specific tasks spread out across all available Domain Controllers for the respective area. There are five total roles, three of which exist across a domain while two exist across a forest.

    Domain FSMO Roles

    PDC Emulator: While the structure of a Permanent Primary Domain Controller and Backup Domain Controllers has gone away, one DC at a time will be considered the “Authoritative” Domain Controller for certain tasks. These include (but are not limited to) verification of bad passwords, default group policy editing and being a source for all clients in the domain to sync their system time to.

    RID Master: A Relative ID is assigned to all objects in Active Directory during their creation. All Domain Controllers in a domain are provided a pool of RIDs to use, but if they run out, the RID Master will issue them a new set. The RID Master is also the authority when objects are being transferred from domain to domain.

    Infrastructure Master: While the RID Master takes care of items when they are being permanently moved from domain to domain, if a user from one domain needs access to resources in another domain, the Infrastructure Master can handle that task. Note, however, that this only can happen if there is more than one domain in an environment. If there isn’t, then this role will not function.

    Forest FSMO Roles

    Schema Master: This role handles replicating out schema changes, which honestly means it doesn’t do much at all. The only time this really comes into play is if you’re rolling out a very large Active Directory integrated application like Exchange.

    Domain Naming Master: If new subdomains or domain trees need to be implemented, this role will handle it.

    26. What are you currently interested in?

    Everybody has that one thing that catches their interest that they spend their free time researching and puzzling out. Sometimes it’s building your own virtualization hosts, other times it’s 3D printing, and who knows, maybe it’s homebrew autonomous cars. More often than not, though, if you get good enough at it, you’ll find a way to have it contribute to the organization and that can be worth a great deal to the right people.

    27. What are nested virtual machines?

    In a word? A pain. Nested Virtual Machines are situations where you start with your hypervisor running directly on the host hardware. You would then have a virtual machine running normally, but then set it up as another hypervisor, with its own set of virtual machines running inside of the virtual machine. Not only does this make administration much more difficult than it has to be, but your licensing is going to be all over the place.

    So if you have a choice when it comes to this, just don’t.

    28. What drives you?

    Your answer probably won’t be Chevy, unless your interviewer happens to work on Corvettes on the weekend (which actually happens more than you’d think). In IT, we all need that spark — that motivation that moves us forward to figure out that last bit of code, polish up that last proposal or be awake enough at three in the morning to save that config file you’ve been working on for the last 18 hours. What is it for you? Is it the urge to be the best in your field and rise to the top, to get something absolutely perfect, or just to solve a problem?

    29. If a user wanted to set up a rule in Outlook to automatically move incoming emails from their inbox to a sub-folder using an Exchange backend but didn’t want to keep their copy of Outlook running at all times, how would they have to set that up?

    Outlook Web Access (OWA) is a browser-based client to access your Exchange account. If you wanted to set up a rule that didn’t require your regular Outlook client to be running at all times, the easiest way to do it would be with a server-side rule in OWA. The exact path to get to Rules varies from version to version, but all require logging in as the user then building the rule from basic details — if it has specific words, if it’s from a certain user and so on.

    30. A mid-level manager just came back from purchasing a very expensive laptop for use with the company without getting approval first. It is using Windows 10 Home and they want it put onto the domain immediately as they just finished getting it set up “just right.” How would you handle this?

    In the words of one of my former bosses, “Ha. No.” For starters, non-Pro/Enterprise Versions of Windows cannot be joined to the domain. While exact policies handling non-company-owned assets accessing the network can vary wildly from organization to organization, as a rule no piece of hardware may be joined to the domain without first being authorized by Security and then going through the regular intake policies such as applying the standard company image. While this may cause waves with this particular user, it is far better for the health of the network —  and by extension, the company.

Ethical Hacking Boot Camp — Exam Pass Guarantee

Conclusion

It’s normal to be nervous going into an interview. Not only is it a test of your knowledge, but it’s an evaluation to see if you’re going to match the company or the role in personality and viewpoint. However, you can tip the odds in your favor by looking into what the company specifically wants and thinking about your answers beforehand.

Studying more potential questions can also help you. We recommend checking out Skillset.com, which has over a hundred thousand practice questions related to multiple certifications. Consider what you may be asked about and focus your studying on the areas relevant to the job you’re going for.

And remember: no matter how nervous you are, you are going to be better than you think you will be. After all, it’s guaranteed that someone who’s gone before you has already pulled something that made that sandwich in the disc drive look like amateur hour. So relax, take a deep breath, and go get that dream job.

What to read other interview questions with answers? Check out these articles:

Top 50 Information Security Interview Questions
Top 30 Incident Responder Interview Questions and Answers for 2019
Top 30 Penetration Tester (Pentester) Interview Questions and Answers for 2019