DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel
Explore NY Stream

Documents to Read

— ny_wk

Documents to Read

This system administration interview questions and answers guide covers the two pillars every Windows sysadmin is tested on: Windows Server (using the Server 2012 R2 feature set as a teaching baseline) and System Center Configuration Manager (SCCM/MECM). Each section explains the concept, gives a representative interview question, and supplies a corrected, accurate answer you can actually use in a certification exam or a real job screen.

Two important notes up front. Both Windows Server 2012 R2 and SCCM 2007 R2 are end-of-life: 2012 R2 reached end of extended support on 10 October 2023, and Configuration Manager 2007 was retired long before that. The fundamentals below are still examined and still relevant, but where a product has moved on, the modern equivalent is called out so your answers sound current rather than dated.

How to study system administration interview questions effectively

Memorising answer dumps fails in interviews because experienced panels ask follow-ups. Instead, learn the why behind each feature so you can reason on the spot. Group your study by domain:

  • Active Directory and identity — domains, forests, FSMO roles, replication, Group Policy.
  • Core infrastructure services — DNS, DHCP, networking, storage.
  • Virtualisation and high availability — Hyper-V, failover clustering.
  • Endpoint management — SCCM/MECM, software deployment, patching, OS imaging.
  • Modern equivalents — Intune, Microsoft Entra ID, Windows Admin Center, PowerShell.

The sections that follow walk through each domain in that order, mirroring how a senior system administration screen typically flows from identity to infrastructure to management tooling.

Active Directory and identity questions

Active Directory Domain Services (AD DS) is the heart of a Windows enterprise, so expect the densest questioning here.

What is the difference between a domain, a tree, and a forest?

A domain is a single administrative and replication boundary for objects such as users and computers (for example, corp.example.com). A tree is one or more domains that share a contiguous DNS namespace and a transitive parent-child trust. A forest is the top-level security boundary that contains one or more trees; all domains in a forest share a common schema and global catalog. The forest, not the domain, is the true security boundary.

What are the five FSMO roles?

Flexible Single Master Operation roles handle operations that cannot be multi-master. There are five, split into forest-wide and domain-wide:

  • Schema Master (forest-wide) — controls changes to the AD schema.
  • Domain Naming Master (forest-wide) — controls adding and removing domains.
  • RID Master (domain-wide) — allocates pools of relative identifiers to DCs.
  • PDC Emulator (domain-wide) — time sync source, password change priority, and account-lockout processing.
  • Infrastructure Master (domain-wide) — updates cross-domain object references.

Check role placement with PowerShell:

  1. List domain-level roles: netdom query fsmo
  2. Or, granularly: Get-ADDomain | Select-Object PDCEmulator,RIDMaster,InfrastructureMaster and Get-ADForest | Select-Object SchemaMaster,DomainNamingMaster

What is the global catalog and why does it matter?

The global catalog (GC) is a partial, read-only replica of every object in the forest, hosted on designated domain controllers. It speeds up forest-wide searches and is required for universal group membership resolution at logon. In a single-domain forest you can make every DC a GC; in multi-domain forests, plan GC placement near users to avoid logon delays.

How does Active Directory replication work?

AD uses multi-master replication: changes can originate on any writable DC and converge across all DCs. Within a site, the Knowledge Consistency Checker (KCC) builds a ring topology and replicates within seconds by change notification. Between sites, replication is compressed and scheduled across site links to conserve WAN bandwidth. Force and verify replication with:

  1. repadmin /syncall /AdeP — push and pull all partitions.
  2. repadmin /showrepl — show inbound replication status and last errors.
  3. dcdiag /v — run comprehensive DC health tests.

Group Policy questions for Windows system administration

In what order are Group Policy Objects applied?

The processing order is LSDOU: Local policy, then Site, then Domain, then Organisational Unit (parent OU before child OU). Later policies override earlier ones on conflicting settings, so OU-linked GPOs win by default. Exceptions: Enforced links cannot be overridden, and Block Inheritance on an OU stops higher-level policies (unless those are Enforced).

How do you troubleshoot a policy that is not applying?

  1. Force a refresh on the client: gpupdate /force
  2. Generate a resultant-set-of-policy report: gpresult /h C:\report.html
  3. Confirm the user or computer is in the correct OU and within the GPO's security filtering scope.
  4. Check WMI filters and link order; remember computer settings need a reboot or computer-side refresh, user settings need a re-logon.

DNS, DHCP, and core infrastructure questions

Why is DNS critical to Active Directory?

AD depends entirely on DNS for service (SRV) records that let clients locate domain controllers, the global catalog, and Kerberos services. Without correct DNS, logons, replication, and GPO processing all fail. Best practice is to run AD-integrated DNS zones, which store records in AD, replicate automatically, and support secure dynamic updates.

What are the common DNS record types?

RecordPurpose
A / AAAAMaps a hostname to an IPv4 / IPv6 address
CNAMEAlias pointing one name to another name
MXMail exchanger for a domain
SRVLocates services such as _ldap and _kerberos for AD
PTRReverse lookup, IP back to hostname
NS / SOANameservers and the zone's authority record

What is a DHCP scope, reservation, and lease?

A scope is the range of IP addresses a DHCP server can hand out for a subnet, along with options like default gateway and DNS servers. A reservation ties a specific MAC address to a fixed IP within that scope so a device always gets the same address. A lease is the time-limited assignment of an address to a client. For redundancy, Server 2012 R2 introduced DHCP failover (hot-standby or load-balance), which is far simpler than the old split-scope approach.

Hyper-V and high availability questions

What is the difference between a generation 1 and generation 2 Hyper-V VM?

Generation 1 VMs emulate legacy BIOS hardware (IDE boot, legacy NIC) for broad OS compatibility. Generation 2 VMs, introduced in Server 2012 R2, use UEFI firmware, support Secure Boot, boot from SCSI, and PXE boot from a standard network adapter. Generation 2 is preferred for modern 64-bit Windows guests; you cannot convert one type to the other after creation.

What is failover clustering and what is a quorum?

A failover cluster groups multiple servers (nodes) so that if one fails, its clustered roles, such as Hyper-V VMs or file shares, restart on another node, providing high availability. Quorum is the voting mechanism that decides whether the cluster has enough active members to keep running, preventing a "split-brain" where two halves operate independently. Modern designs use dynamic quorum with a witness (disk, file share, or cloud witness in Azure) to maintain a majority of votes.

SCCM / Configuration Manager interview questions and answers

This is the endpoint-management half of the screen. While the source material references the legacy Configuration Manager 2007 R2, the product is now Microsoft Configuration Manager (MECM), part of the Microsoft Intune family on the current-branch servicing model. Use the modern names in your answers and treat 2007 concepts as the historical foundation.

What is SCCM used for?

System Center Configuration Manager is an enterprise endpoint-management platform for Windows devices. Its core capabilities are software deployment, patch management (software updates), operating system deployment (OSD), hardware and software inventory, compliance settings, and endpoint protection reporting. It scales to tens of thousands of machines from a central site.

How does an SCCM client find its management point?

The client locates Configuration Manager site systems through service location records published in Active Directory (when the schema is extended) or via DNS and boundary configuration. Boundaries (IP subnet, AD site, IP range, or IPv6 prefix) are grouped into boundary groups that associate clients with the nearest distribution point for content and an assigned site for management.

What is the difference between a collection and a boundary?

A collection is a logical grouping of devices or users used as the target for deployments and policies; membership can be direct (manually added) or query-based (dynamically evaluated, for example all machines running a specific OS). A boundary is a network location definition used for content location and site assignment. In short: boundaries decide where content comes from, collections decide what gets deployed and to whom.

Explain the SCCM software update (patching) workflow.

  1. Configure the Software Update Point (SUP), which integrates with WSUS to sync update metadata from Microsoft.
  2. Run a synchronization so the catalog of available updates appears in the console.
  3. Create a Software Update Group containing the required updates and deploy it to a collection.
  4. Updates are downloaded into a Deployment Package and distributed to distribution points.
  5. Clients evaluate against maintenance windows and install during the allowed period, then report compliance.

What is OS Deployment (OSD) and what is a task sequence?

OSD is the process of imaging and provisioning computers with a Windows operating system. A task sequence is the ordered set of steps that automates it: partition and format the disk, apply the OS image (a .wim file), apply drivers, join the domain, install applications, and run scripts. Task sequences can be deployed to existing machines (in-place or refresh) or to bare metal via PXE boot using a boot image and the Windows Preinstallation Environment (WinPE).

What is the difference between an Application and a Package in SCCM?

A Package (the legacy model from the 2007 era) is a simple wrapper around a program and command line with no built-in intelligence about state. An Application (modern model) uses detection methods and requirement rules to determine whether software is already installed, whether the device qualifies, and supports user-device affinity and supersedence. Prefer Applications for anything new; Packages remain only for scripts and legacy installers.

Modern equivalents every sysadmin should mention

Because the underlying products are EOL, a strong candidate signals awareness of where Microsoft management has moved. Map the legacy concept to its current counterpart:

Legacy (2007–2012 era)Modern equivalent
SCCM 2007 R2Microsoft Configuration Manager (MECM), current branch
On-prem SCCM onlyCo-management with Microsoft Intune (cloud MDM)
Active Directory (on-prem)Microsoft Entra ID (cloud identity), hybrid join
Server Manager / RSAT consolesWindows Admin Center
Logon scripts and manual tasksPowerShell and Desired State Configuration
Windows Server 2012 R2Windows Server 2022 / 2025

If asked "why migrate?", give concrete drivers: security updates ended for 2012 R2 in October 2023, Azure offers paid Extended Security Updates only as a bridge, and cloud co-management enables remote endpoint control for hybrid workforces without VPN dependency.

Common pitfalls candidates make

  • Confusing the security boundary. The forest is the security boundary, not the domain. This trips up many interviewees.
  • Listing four FSMO roles. There are five; missing the Schema Master or Domain Naming Master is a classic slip.
  • Mixing up collections and boundaries in SCCM. Keep "what to deploy" separate from "where content lives."
  • Quoting dead products as current. Always pair the legacy answer with the modern equivalent.
  • Ignoring DNS when AD breaks. The first troubleshooting step for most AD failures is verifying DNS and SRV records.

How to verify your knowledge before the interview

Build a small lab so your answers come from experience, not memorisation. A practical checklist:

  1. Stand up a domain controller in Hyper-V and promote it: Install-ADDSForest -DomainName corp.lab
  2. Confirm health: dcdiag /v and repadmin /replsummary
  3. Create a GPO, link it to an OU, and prove application with gpresult /r
  4. Add and test DNS and DHCP roles, then create a scope and a reservation.
  5. If possible, install MECM in an eval lab and walk through a software-update deployment and a basic task sequence.

Being able to describe a step you actually performed is what separates a senior system administration candidate from someone reciting notes.

Key Takeaways

  • The forest is the security boundary; there are five FSMO roles split into two forest-wide and three domain-wide.
  • DNS underpins Active Directory through SRV records, so it is the first thing to check when logons or replication fail.
  • In SCCM, boundaries control content location while collections control deployment targets — never conflate them.
  • Prefer the Application model over Packages for its detection methods and requirement rules.
  • Both Windows Server 2012 R2 and SCCM 2007 are EOL; pair every legacy answer with its modern equivalent (MECM, Intune, Entra ID, Windows Admin Center).

Frequently Asked Questions

Is Windows Server 2012 R2 still supported?

No. Extended support ended on 10 October 2023. It receives no free security updates; Azure-based Extended Security Updates are available for a fee as a temporary bridge, but the recommended path is migrating to Windows Server 2022 or 2025.

What replaced SCCM 2007?

Configuration Manager moved to a current-branch servicing model and is now Microsoft Configuration Manager (MECM), part of the Microsoft Intune product family. Many organisations run co-management, sharing workloads between on-prem MECM and cloud-based Intune.

What is the difference between SCCM and WSUS?

WSUS only distributes Microsoft software updates. SCCM uses WSUS as its update engine via the Software Update Point but adds full endpoint management: application deployment, OS imaging, inventory, compliance, and granular targeting through collections and maintenance windows.

How many FSMO roles are there and where do they live?

There are five. The Schema Master and Domain Naming Master are forest-wide (one per forest); the RID Master, PDC Emulator, and Infrastructure Master are domain-wide (one set per domain).

For more hands-on Windows Server and endpoint-management walkthroughs, subscribe to @explorenystream on YouTube.