System Administrator

Complete Interview Guide

L1 · L2 · L3 · Support Engineer

Topics Covered
✔ Linux Administration ✔ Windows Server ✔ Networking & CCNA

✔ VLAN & Switching ✔ Patch Management ✔ Hardware Troubleshooting

✔ Ports & Protocols ✔ Security ✔ Virtualization

✔ Active Directory ✔ Backup & Recovery ✔ Cloud Basics

✔ Day-to-Day Scenarios ✔ Tough Questions ✔ HR & Soft Skills

200+ Interview Questions | All Levels | Brief & Clear Answers

Edition: February 2026 | For Interview Preparation Only

SysAdmin Interview Complete Guide Page 1

 Table of Contents
1. Linux Administration
• Basic Commands
• File System
• User Management
• Processes & Services
• Networking in Linux
• Permissions
• Cron & Automation
• Tough Linux Questions
2. Windows Server Administration
• Active Directory
• Group Policy
• DNS & DHCP
• File & Print Services
• Windows Troubleshooting
• PowerShell
3. Networking Fundamentals (CCNA Level)
• OSI Model
• TCP/IP
• Subnetting
• Routing Protocols
• Switching Concepts
• NAT & PAT
• ACLs
• Troubleshooting
4. VLAN & Network Management
• VLAN Basics
• Trunking
• STP
• Inter-VLAN Routing
• Network Monitoring
5. Ports & Protocols Reference
• Common Ports
• Protocol Questions
6. Patch Management
• Patch Process
• WSUS
• Linux Patching
• Patch Scenarios
7. Hardware & Infrastructure
• Server Hardware
• RAID
• Storage
• Troubleshooting Hardware
8. Security & Firewall
• Firewall Concepts
• Security Best Practices
• Incident Response
9. Virtualization & Cloud

SysAdmin Interview Complete Guide Page 2

 • VMware/Hyper-V
• Cloud Basics
• Backup & DR
10. Day-to-Day Scenarios
• Real-World Scenarios
• Escalation Handling
• Change Management
11. Tough & Tricky Questions
• L2/L3 Tough Questions
• Problem-Solving
12. HR Round & Soft Skills
• HR Questions
• Behavioral Questions
• Situational Questions
• Salary & Career

SysAdmin Interview Complete Guide Page 3

Chapter 1: Linux Administration

1.1 Basic Linux Commands

Q: What is the difference between absolute and relative path?

A: Absolute path starts from root (/) e.g., /home/user/[Link]. Relative path is relative to current directory
e.g., ../docs/[Link].

Q: How do you find a file in Linux?

A: Use 'find / -name filename' to search entire system, or 'locate filename' for faster indexed search.
'which command' finds executable location.

Q: What does the 'ls -la' command show?

A: Lists all files including hidden (.) files in long format showing permissions, owner, group, size,
modification date and filename.

Q: How do you view the last 50 lines of a log file in real time?
A: tail -f -n 50 /var/log/syslog — '-f' follows the file as it grows, '-n 50' shows last 50 lines.

Q: Difference between > and >> in Linux?

A: > redirects output and overwrites the file. >> appends output to the existing file without overwriting.

Q: What is the use of grep command?

A: grep searches for patterns in files. Example: grep -i 'error' /var/log/syslog — '-i' is case-insensitive. Use
grep -r for recursive search in directories.

Q: How do you check disk usage?

A: df -h shows filesystem disk space usage. du -sh /directory shows size of a specific directory. du -sh *
shows size of all items in current directory.

Q: What is the difference between cp, mv and ln?

A: cp copies files. mv moves or renames files. ln creates links — 'ln file link' creates a hard link, 'ln -s file
link' creates a symbolic (soft) link.

Q: How do you compress and extract files in Linux?

A: tar -czf [Link] directory/ compresses. tar -xzf [Link] extracts. zip/unzip for .zip files.
gzip/gunzip for .gz files.

Q: How do you search for text inside multiple files?

A: grep -r 'search_text' /path/to/directory — recursively searches all files. Add --include='*.log' to filter by
file type.

1.2 File System & Permissions

Q: Explain Linux file system hierarchy.

A: /bin — essential binaries. /etc — configuration files. /home — user directories. /var — variable data like
logs. /tmp — temporary files. /usr — user programs. /opt — optional software. /proc — virtual filesystem
for kernel/process info.

Q: What are Linux file permissions? Explain rwx.

SysAdmin Interview Complete Guide Page 4

 A: r=read(4), w=write(2), x=execute(1). Permissions are set for owner, group, others. Example: chmod
755 file gives owner rwx (7), group r-x (5), others r-x (5).

Q: What is the difference between chmod and chown?

A: chmod changes file permissions. chown changes file owner and group. Example: chown user:group
file. chmod 644 file.

Q: What is umask?
A: umask sets default permissions for newly created files/directories. Default umask 022 means files get
644 permissions (666-022) and directories get 755 (777-022).

Q: What is the sticky bit?

A: Sticky bit on a directory (chmod +t or 1777) means only the file owner can delete their files within it,
even if others have write permission. Used on /tmp.

Q: What is SUID and SGID?

A: SUID (chmod u+s) runs a file with the owner's permissions. SGID on a file runs with group
permissions; on a directory, new files inherit the directory's group.

Q: How do you find files with specific permissions?

A: find / -perm 777 -type f finds files with 777 permissions. find / -perm /4000 finds SUID files. find / -user
root -perm -4000 finds SUID files owned by root.

1.3 User & Group Management

Q: How do you create a user in Linux?

A: useradd -m -s /bin/bash -c 'Full Name' username — '-m' creates home directory, '-s' sets shell. Then
passwd username to set password.

Q: What is the difference between useradd and adduser?

A: useradd is a low-level utility requiring manual configuration. adduser (Debian/Ubuntu) is a higher-level
script that's interactive and sets up home directory and defaults automatically.

Q: How do you lock and unlock a user account?

A: Lock: passwd -l username or usermod -L username. Unlock: passwd -u username or usermod -U
username. Check: passwd -S username.

Q: What files store user information in Linux?

A: /etc/passwd — user accounts. /etc/shadow — encrypted passwords. /etc/group — group information.
/etc/gshadow — group passwords.

Q: How do you add a user to a group?

A: usermod -aG groupname username — '-a' appends to existing groups without removing from others.
View groups with 'groups username' or 'id username'.

Q: What is sudo and how do you configure it?

A: sudo allows users to run commands as root. Configure with 'visudo' which edits /etc/sudoers safely.
Add: username ALL=(ALL:ALL) ALL to give full sudo access.

Q: How do you change a user's shell?

A: chsh -s /bin/bash username or usermod -s /bin/bash username. Available shells are listed in
/etc/shells.

1.4 Processes & Services

SysAdmin Interview Complete Guide Page 5

 Q: How do you view running processes?
A: ps aux shows all processes. top or htop for interactive view. pstree shows process hierarchy. ps -ef
shows full format with parent PID.

Q: How do you kill a process?

A: kill PID sends SIGTERM (graceful). kill -9 PID sends SIGKILL (forced). killall process_name kills by
name. pkill -u username kills all user processes.

Q: What is the difference between SIGTERM and SIGKILL?

A: SIGTERM (signal 15) asks process to terminate gracefully, allowing cleanup. SIGKILL (signal 9)
immediately kills the process without cleanup — use as last resort.

Q: How do you run a process in the background?

A: Add & at end: command &. Use nohup command & to keep running after logout. Bring to foreground
with fg. List background jobs with jobs command.

Q: How do you manage services in Linux?

A: systemctl start/stop/restart/status service — for systemd systems. service name start/stop — older
init.d. systemctl enable/disable for autostart on boot.

Q: What is systemd?
A: systemd is the init system and service manager for modern Linux. It manages services (units), boots
the system, handles logging (journald), and replaces SysV init.

Q: How do you check system logs?

A: journalctl -xe for systemd logs. journalctl -u servicename for specific service. /var/log/syslog or
/var/log/messages for system logs. dmesg for kernel messages.

Q: What is a zombie process?

A: A zombie process has completed execution but still has an entry in the process table because its
parent hasn't read its exit status. It wastes a PID slot. Parent must call wait() to remove it.

Q: How do you check memory and CPU usage?

A: free -h for memory. top/htop for CPU and memory. vmstat for virtual memory stats. sar for historical
data. cat /proc/meminfo for detailed memory info.

1.5 Networking in Linux

Q: How do you check network interface configuration?

A: ip addr show or ifconfig. ip link show for link status. ip route show for routing table. nmcli for
NetworkManager-based systems.

Q: How do you configure a static IP in Linux?

A: Edit /etc/network/interfaces (Debian) or /etc/sysconfig/network-scripts/ifcfg-eth0 (RHEL). Or use nmcli:
nmcli con mod 'conn' [Link] '[Link]/24' [Link] manual.

Q: How do you test network connectivity?

A: ping hostname/IP for basic connectivity. traceroute/tracepath for path. telnet IP port to test port. netstat
-tulpn or ss -tulpn for listening ports. curl/wget to test HTTP.

Q: What is /etc/hosts file?

A: /etc/hosts maps hostnames to IP addresses locally, before DNS is queried. Format: IP hostname alias.
Useful for overriding DNS or when DNS is unavailable.

SysAdmin Interview Complete Guide Page 6

 Q: How do you check which process is using a port?
A: netstat -tulpn | grep :80 or ss -tulpn | grep :80. lsof -i :80 also shows process using port 80.

Q: What is iptables?
A: iptables is Linux's built-in firewall. It uses chains (INPUT, OUTPUT, FORWARD) and rules to
accept/drop packets. Modern systems use nftables or firewalld as a frontend.

Q: How do you add a firewall rule in Linux?

A: iptables -A INPUT -p tcp --dport 22 -j ACCEPT allows SSH. firewall-cmd --add-port=80/tcp --permanent
for firewalld. ufw allow 80/tcp for UFW.

1.6 Cron & Automation

Q: What is cron and how do you use it?

A: Cron is a time-based job scheduler. Edit with 'crontab -e'. Format: minute hour day month weekday
command. Example: 0 2 * * * /scripts/[Link] runs backup at 2 AM daily.

Q: Explain cron expression: '*/5 * * * *'

A: Runs every 5 minutes, every hour, every day, every month, every day of week. The */5 means 'every 5
units'. This executes: 0,5,10,15,20,25,30,35,40,45,50,55 minutes.

Q: What is the difference between cron and at?

A: cron is for recurring scheduled jobs. at is for one-time job execution at a specific time. Example: echo
'shutdown -h now' | at 11:00 PM will shutdown once at 11 PM.

Q: What are shell scripts used for in sysadmin?

A: Automating repetitive tasks (backups, cleanup), monitoring systems, deploying configurations, user
management, log rotation, automated health checks, and report generation.

1.7 Tough Linux Questions (L2/L3)

Q: Server is unreachable. Walk me through troubleshooting.

A: Check physical connectivity → ping gateway → check if server is up (ping from another host) → check
firewall rules (iptables -L) → verify network config (ip addr) → check routing (ip route) → review logs
(/var/log/messages) → check service status (systemctl status).

Q: How do you recover root password in Linux?

A: Reboot → Enter GRUB menu → Edit kernel line, add 'init=/bin/bash' → Mount filesystem rw: 'mount -o
remount,rw /' → Change password: 'passwd root' → Reboot. For RHEL7+, use [Link] in GRUB.

Q: What happens when you type a command in Linux?

A: Shell reads command → Checks if alias → Searches PATH for binary → fork() creates child process →
exec() replaces child with command → Command runs → Exit code returned to parent shell.

Q: How do you troubleshoot high load average?

A: Check load with uptime/top → Identify culprit processes (top, ps aux --sort=-%cpu) → Check disk I/O
(iostat, iotop) → Check memory (free -h, vmstat) → Review logs → Restart hung services.

Q: Explain the boot process in Linux.

A: Power ON → BIOS/UEFI POST → Bootloader (GRUB) loads → Kernel loaded into RAM → initramfs
mounts root filesystem → systemd (PID 1) starts → Targets/runlevels executed → Login prompt appears.

Q: What is LVM and why use it?

SysAdmin Interview Complete Guide Page 7

 A: Logical Volume Manager allows flexible disk management. PV (Physical Volume) → VG (Volume
Group) → LV (Logical Volume). Advantages: resize volumes on-the-fly, snapshots, spanning multiple
disks, no downtime for expansion.

Q: How do you extend an LVM volume?

A: pvextend /dev/sdb1 → vgextend vgname /dev/sdb1 → lvextend -L +10G /dev/vgname/lvname →
resize2fs /dev/vgname/lvname (ext4) or xfs_growfs /mount/point (XFS).

SysAdmin Interview Complete Guide Page 8

Chapter 2: Windows Server Administration

2.1 Active Directory

Q: What is Active Directory?

A: Active Directory (AD) is Microsoft's directory service for Windows networks. It stores info about users,
computers, and resources, and provides authentication (Kerberos) and authorization in a centralized
manner.

Q: What are the components of Active Directory?

A: Domain — logical grouping of objects. Forest — one or more domains sharing schema. OU
(Organizational Unit) — container for objects. DC (Domain Controller) — server running AD DS. Schema
— defines object types and attributes.

Q: What is the difference between a Domain and a Workgroup?

A: Domain: centralized management, single login, GPOs, scalable for large orgs. Workgroup:
decentralized, each PC manages its own accounts, max ~20 computers, no central control.

Q: What are FSMO roles?

A: Five Flexible Single Master Operation roles: Schema Master, Domain Naming Master (forest-wide);
PDC Emulator, RID Master, Infrastructure Master (domain-wide). Each role has a unique function — e.g.,
PDC handles password changes and time sync.

Q: How do you check FSMO role holders?

A: Run 'netdom query fsmo' in CMD or 'Get-ADDomain | Select-Object
PDCEmulator,RIDMaster,InfrastructureMaster' in PowerShell. 'Get-ADForest' for schema and naming
master.

Q: What is a Global Catalog?

A: A Global Catalog (GC) is a DC that stores a full copy of all objects in its domain and a partial copy of
objects in all other domains in the forest. It enables forest-wide searches and universal group
membership resolution.

Q: What is LDAP?
A: Lightweight Directory Access Protocol — the protocol used to query and modify Active Directory. AD
listens on port 389 (LDAP) and 636 (LDAPS/secure). Used by applications to authenticate against AD.

Q: How do you join a computer to a domain?

A: GUI: System Properties → Change → Domain → enter domain name → provide admin credentials →
restart. PowerShell: Add-Computer -DomainName [Link] -Credential domain\admin -Restart.

Q: What is a trust relationship in AD?

A: A trust allows users in one domain to access resources in another. Types: One-way (A trusts B),
Two-way (both trust each other), Transitive (trust flows through), External, Forest trusts. Default between
domains in same forest is two-way transitive.

Q: How do you reset a user password in AD?

A: AD Users & Computers → Find user → Right-click → Reset Password. PowerShell:
Set-ADAccountPassword -Identity username -NewPassword (Read-Host -AsSecureString) -Reset. Can
also unlock account simultaneously.

SysAdmin Interview Complete Guide Page 9

 2.2 Group Policy

Q: What is Group Policy?

A: Group Policy Objects (GPOs) apply settings to users and computers in an AD domain. They enforce
security settings, software installation, desktop configuration, and scripts across the organization.

Q: What is the order of GPO processing?

A: LSDOU — Local → Site → Domain → Organizational Unit. Higher-level policies are applied first; OU
policies override domain policies. Last applied wins (unless enforced/Block Inheritance is set).

Q: What is the difference between GPO Enforced and Block Inheritance?

A: Enforced (No Override): ensures GPO settings cannot be overridden by child OUs. Block Inheritance:
prevents parent GPOs from applying to an OU. Enforced takes priority over Block Inheritance.

Q: How do you force a Group Policy update?

A: Run 'gpupdate /force' on the client. 'gpupdate /force /logoff' to logoff after update. Check applied GPOs
with 'gpresult /r' or 'gpresult /h [Link]'.

Q: What is the difference between Computer Configuration and User Configuration in GPO?
A: Computer Configuration applies settings to computers regardless of who logs in (applied at startup).
User Configuration applies to users regardless of which computer they use (applied at logon).

Q: What is a Starter GPO?

A: A Starter GPO is a template GPO that can be used as a starting point when creating new GPOs. It
captures Administrative Templates settings that you want to use as a baseline.

2.3 DNS & DHCP

Q: What is DNS and how does it work?

A: Domain Name System translates hostnames to IP addresses. Client queries local DNS cache → hosts
file → local DNS server → forwarders → root hints. DNS uses port 53 (UDP for queries, TCP for zone
transfers).

Q: What are DNS record types?

A: A — IPv4 address. AAAA — IPv6. CNAME — alias. MX — mail server. PTR — reverse lookup. NS —
name server. SOA — Start of Authority. SRV — service location. TXT — text/verification records.

Q: What is the difference between forward and reverse DNS lookup?

A: Forward lookup resolves hostname → IP (A record). Reverse lookup resolves IP → hostname (PTR
record in [Link] zone). Reverse DNS is used by mail servers, SSH, and logging.

Q: What is a DHCP scope?

A: A DHCP scope is a range of IP addresses that a DHCP server can assign to clients. It includes: IP
range, subnet mask, exclusions, reservations, lease duration, and options (gateway, DNS, etc.).

Q: What is DHCP failover?

A: DHCP failover allows two DHCP servers to share a scope for redundancy. Modes: Hot Standby (one
active, one standby) or Load Balance (both serve requests). Configured in Windows Server 2012+.

Q: What is APIPA?
A: Automatic Private IP Addressing — when a DHCP client can't reach a server, Windows assigns itself a
169.254.x.x/16 address. This indicates a DHCP connectivity problem and means the client cannot reach
the network properly.

SysAdmin Interview Complete Guide Page 10

 Q: How do you troubleshoot DNS resolution issues?
A: nslookup hostname, nslookup -type=MX [Link]. Use 'ipconfig /flushdns' to clear cache. Check
DNS server settings with ipconfig /all. Verify DNS records in DNS Manager. Check network connectivity to
DNS server.

2.4 Windows Troubleshooting

Q: How do you troubleshoot a Windows server that's slow?

A: Check Task Manager/Resource Monitor for CPU, Memory, Disk, Network usage → identify bottleneck
process → check Event Viewer for errors → check disk health (chkdsk) → review application logs →
check for malware → consider hardware upgrade.

Q: What is the Windows Event Viewer and what logs does it contain?
A: Event Viewer centralizes Windows logs. Key logs: Application (app errors), System (OS events),
Security (logon/audit events), Setup (installation), and Applications & Services Logs (role-specific logs like
AD, DNS).

Q: How do you check if a Windows service is running?

A: [Link] GUI, or Get-Service servicename in PowerShell, or sc query servicename in CMD. Net
start lists all running services. Task Manager → Services tab.

Q: A user cannot log in to their Windows machine. How do you troubleshoot?

A: Check if account is locked/disabled in AD → verify Caps Lock → check if computer is connected to
domain (ping DC) → check if user profile is corrupted → review Security Event Log (4625 = failed logon)
→ try logging in with another account → check logon restrictions/GPO.

Q: What is the purpose of chkdsk?

A: chkdsk checks disk for file system errors and bad sectors. 'chkdsk C: /f' fixes errors. 'chkdsk C: /r'
locates bad sectors. Run at next boot for system drive. Use in Windows Recovery Environment for
unbootable systems.

Q: How do you access a Windows system remotely?

A: RDP (Remote Desktop) — [Link] or Remote Desktop app. PowerShell Remoting —
Enter-PSSession. WinRM. VNC tools. Direct Console Access via IPMI/iDRAC/ILO for out-of-band
management.

2.5 PowerShell Basics

Q: What is PowerShell and why is it important for sysadmins?

A: PowerShell is Microsoft's task automation framework combining command-line shell and scripting
language. Essential for: AD management, system automation, bulk operations, configuration
management, and remote management at scale.

Q: How do you get help in PowerShell?

A: Get-Help command-name. Get-Help Get-Service -Examples for examples. Get-Help Get-Service -Full
for complete help. Update-Help to update help files. Get-Command lists available commands.

Q: Write a PowerShell one-liner to find all disabled AD users.

A: Get-ADUser -Filter {Enabled -eq $false} -Properties * | Select-Object Name, SamAccountName,
LastLogonDate | Export-Csv disabled_users.csv -NoTypeInformation

Q: How do you check disk space on remote computers using PowerShell?

SysAdmin Interview Complete Guide Page 11

 A: Get-WmiObject -Class Win32_LogicalDisk -ComputerName server01 | Where-Object {$_.DriveType
-eq 3} | Select-Object DeviceID,@{N='FreeGB';E={[math]::Round($_.FreeSpace/1GB,2)}}

SysAdmin Interview Complete Guide Page 12

Chapter 3: Networking Fundamentals (CCNA Level)

3.1 OSI Model

Q: Explain the 7 layers of the OSI model.

A: Layer 7 Application — user interface (HTTP, FTP, DNS). Layer 6 Presentation — data
format/encryption (SSL, TLS). Layer 5 Session — connection management. Layer 4 Transport —
end-to-end delivery (TCP, UDP). Layer 3 Network — logical addressing/routing (IP). Layer 2 Data Link —
MAC addressing, framing (Ethernet). Layer 1 Physical — bits over wire/wireless.

Q: What layer does a switch operate at?

A: A basic switch operates at Layer 2 (Data Link) using MAC addresses. A Layer 3 switch can route traffic
between VLANs using IP addresses. A hub operates at Layer 1.

Q: What layer does a router operate at?

A: Routers operate at Layer 3 (Network layer) and make forwarding decisions based on IP addresses.
They connect different networks and maintain routing tables.

Q: What is the difference between TCP and UDP?

A: TCP: connection-oriented, reliable, ordered delivery, error checking, handshake required, slower. UDP:
connectionless, unreliable, no guarantee of delivery, faster, used for streaming/DNS/gaming. TCP uses
3-way handshake; UDP just sends.

Q: Explain the TCP 3-way handshake.

A: Client → Server: SYN (I want to connect). Server → Client: SYN-ACK (OK, I acknowledge). Client →
Server: ACK (Great, connection established). This establishes sequence numbers and synchronizes both
sides before data transfer.

3.2 IP Addressing & Subnetting

Q: What is the difference between public and private IP addresses?

A: Private IPs (RFC 1918): [Link]/8, [Link]/12, [Link]/16 — used internally, not routable on
internet. Public IPs are globally unique and routable on internet. NAT translates private to public.

Q: What is a subnet mask and CIDR notation?

A: Subnet mask defines the network and host portions. /24 = [Link] (256 addresses, 254 usable).
/25 = [Link] (128 addresses, 126 usable). CIDR notation /prefix represents number of network
bits.

Q: How many usable hosts in a /26 subnet?

A: A /26 has 6 host bits: 2^6 = 64 addresses. Subtract 2 (network and broadcast) = 62 usable host
addresses. Subnet mask is [Link].

Q: What is the difference between Class A, B, and C networks?

A: Class A: 1-126.x.x.x, /8, 16M hosts. Class B: 128-191.x.x.x, /16, 65K hosts. Class C: 192-223.x.x.x,
/24, 254 hosts. Class D: 224-239 multicast. Class E: 240-255 experimental. CIDR has replaced classful
networking.

Q: What is VLSM?
A: Variable Length Subnet Masking — allows using different subnet sizes within the same network space.
Efficient use of IP addresses by sizing subnets to actual needs rather than fixed classes. Example: /30 for

SysAdmin Interview Complete Guide Page 13

 point-to-point links (2 usable IPs).

Q: What is the loopback address?

A: [Link] (IPv4) or ::1 (IPv6) is the loopback address used to test the TCP/IP stack on a local machine.
Traffic sent to loopback never leaves the host. Entire [Link]/8 range is reserved for loopback.

3.3 Routing Protocols

Q: What is the difference between static and dynamic routing?

A: Static: manually configured routes, no overhead, best for small/simple networks, doesn't adapt to
changes. Dynamic: routers exchange routing information automatically (RIP, OSPF, EIGRP, BGP),
scalable, self-healing.

Q: What is OSPF?
A: Open Shortest Path First — link-state IGP routing protocol. Uses Dijkstra algorithm to find shortest
path. AD=110. Groups routers into areas (Area 0 = backbone). Supports VLSM, fast convergence.
Packets: Hello, DBD, LSR, LSU, LSAck.

Q: What is BGP?
A: Border Gateway Protocol — EGP (Exterior Gateway Protocol) used between autonomous systems on
the internet. Path-vector protocol, AD=20 (eBGP) or 200 (iBGP). Used by ISPs and large enterprises.
Selects best path based on attributes (AS-PATH, MED, LOCAL-PREF, etc.).

Q: What is Administrative Distance?

A: AD is the trustworthiness of a routing source. Lower is preferred. Connected=0, Static=1, EIGRP
Summary=5, eBGP=20, EIGRP=90, OSPF=110, IS-IS=115, RIP=120, iBGP=200. If two sources provide
same route, lower AD wins.

Q: What is a default route?

A: [Link]/0 is the default route (gateway of last resort). Traffic not matching any specific route is
forwarded to the default gateway. Configured as: ip route [Link] [Link] next-hop on Cisco routers.

Q: What is EIGRP?
A: Enhanced Interior Gateway Routing Protocol — Cisco proprietary (now open), hybrid protocol using
DUAL algorithm. Fast convergence, supports VLSM, unequal cost load balancing. AD=90. Sends partial
updates only when topology changes.

3.4 Switching Concepts

Q: How does a switch learn MAC addresses?

A: A switch learns MAC addresses dynamically: when a frame arrives on a port, the switch records the
source MAC and port in its MAC address table (CAM table). If destination MAC is unknown, it floods all
ports except source.

Q: What is STP (Spanning Tree Protocol)?

A: STP (802.1D) prevents Layer 2 loops by blocking redundant paths. Elects a Root Bridge (lowest Bridge
ID). Ports go through: Blocking → Listening → Learning → Forwarding. RSTP (802.1w) is faster. PVST+
runs per-VLAN.

Q: What is the difference between a hub, switch, and router?

A: Hub: Layer 1, broadcasts to all ports, one collision domain, deprecated. Switch: Layer 2, forwards
based on MAC, separate collision domain per port, one broadcast domain per VLAN. Router: Layer 3,
forwards based on IP, separates broadcast domains.

SysAdmin Interview Complete Guide Page 14

 Q: What is Port Security on a switch?
A: Port Security limits the number of MAC addresses on a switch port, preventing unauthorized devices.
Actions on violation: Shutdown (default), Protect (drop frames), Restrict (drop + log). Config: switchport
port-security maximum 2.

Q: What is EtherChannel?
A: EtherChannel (LACP/PAgP) bundles multiple physical links into one logical link for redundancy and
increased bandwidth. LACP (IEEE 802.3ad) is open standard, PAgP is Cisco proprietary. Up to 8 links
per bundle.

3.5 NAT, ACL & Troubleshooting

Q: What is NAT and why is it used?

A: Network Address Translation maps private IP addresses to public IPs, conserving the IPv4 address
space. Types: Static NAT (1:1), Dynamic NAT (pool), PAT/NAT Overload (many:1 using ports). PAT is
most common in homes/businesses.

Q: What is the difference between standard and extended ACLs?

A: Standard ACL (1-99): filters based on source IP only. Place close to destination. Extended ACL
(100-199): filters on source IP, destination IP, protocol, port. Place close to source. Named ACLs can use
descriptive names.

Q: How do you troubleshoot a connectivity issue on a Cisco router?

A: ping and traceroute → show ip route → show ip interface brief → show interfaces → show
running-config → debug ip packet (caution on production) → show arp → test connectivity step by step.

Q: What does 'show ip interface brief' show?

A: Shows all interfaces, IP addresses, and status: Interface, IP-Address, OK?, Method (manual/DHCP),
Status (up/down/admin down), Protocol (up/down). Quick overview of all interface states on a Cisco
device.

SysAdmin Interview Complete Guide Page 15

Chapter 4: VLAN & Network Management

4.1 VLAN Fundamentals

Q: What is a VLAN?
A: Virtual LAN logically segments a physical network into separate broadcast domains without requiring
separate physical switches. Improves security, reduces broadcasts, and simplifies network management.
Configured on managed switches.

Q: What is the difference between access and trunk ports?

A: Access port: belongs to one VLAN, sends untagged frames, connects end devices (PCs, servers).
Trunk port: carries multiple VLANs using 802.1Q tagging, connects switch-to-switch or switch-to-router.

Q: What is 802.1Q tagging?

A: 802.1Q adds a 4-byte tag to Ethernet frames containing VLAN ID (12-bit, supports 4094 VLANs). The
native VLAN sends untagged frames on trunk ports. All other VLANs are tagged.

Q: What is a Native VLAN?

A: The native VLAN (default VLAN 1) sends/receives untagged frames on trunk ports. Both ends of a
trunk must agree on native VLAN or a native VLAN mismatch occurs. Best practice: change native VLAN
from 1 and don't use it for user traffic.

Q: How do you configure a VLAN on a Cisco switch?

A: vlan 10 → name Sales (creates VLAN). interface fa0/1 → switchport mode access → switchport
access vlan 10 (access port). interface fa0/24 → switchport mode trunk → switchport trunk allowed vlan
10,20 (trunk port).

Q: What is VTP (VLAN Trunking Protocol)?

A: VTP synchronizes VLAN information across switches. Modes: Server (create/modify/delete VLANs),
Client (receives updates), Transparent (doesn't participate but forwards). Caution: a new server with
higher revision can wipe VLAN configs.

Q: What is Inter-VLAN routing?

A: VLANs are isolated; inter-VLAN routing allows traffic between VLANs. Methods: Router-on-a-stick (one
physical link with subinterfaces), Layer 3 switch (SVIs — Switched Virtual Interfaces). SVI is preferred for
performance.

4.2 Network Monitoring & Management

Q: What is SNMP?
A: Simple Network Management Protocol monitors and manages network devices. Manager polls agents
on devices (routers, switches). Uses MIBs (Management Information Base) for data. Ports: 161 (queries),
162 (traps). v3 adds authentication and encryption.

Q: What is Syslog?
A: Syslog is a standard for sending log messages from network devices to a central server. Severity
levels 0-7: Emergency, Alert, Critical, Error, Warning, Notice, Informational, Debug. Default port UDP 514.

Q: What is NTP?
A: Network Time Protocol synchronizes clocks across network devices. Critical for log correlation,
Kerberos authentication, and certificate validity. Port 123 UDP. Stratum 0 = atomic clock, Stratum 1 =

SysAdmin Interview Complete Guide Page 16

 directly connected to stratum 0.

Q: What tools do you use for network monitoring?

A: Nagios/Zabbix/PRTG for infrastructure monitoring. Wireshark for packet capture. SolarWinds for
enterprise. Cisco Prime for Cisco devices. ntopng for traffic analysis. Nmap for network scanning and
discovery.

Q: What is a network baseline?

A: A network baseline documents normal network behavior — typical bandwidth usage, latency, error
rates, device CPU/memory. Used to identify anomalies and troubleshoot performance issues by
comparing current state to baseline.

Q: What is QoS?
A: Quality of Service prioritizes certain types of network traffic. Ensures voice/video get low latency.
Methods: Classification (marking), Queuing, Shaping/Policing. DSCP markings in IP header. Critical for
VoIP and video conferencing.

SysAdmin Interview Complete Guide Page 17

Chapter 5: Common Ports & Protocols

5.1 Essential Port Reference Table

Port Protocol Service Description

20/21 TCP FTP File Transfer — 20 data, 21 control

22 TCP SSH/SFTP/SCP Secure Shell, secure file transfer

23 TCP Telnet Unencrypted remote access (avoid!)

25 TCP SMTP Sending email between servers

53 TCP/UDP DNS Domain Name System resolution

67/68 UDP DHCP 67 server, 68 client — IP assignment

69 UDP TFTP Trivial FTP — no auth, network booting

80 TCP HTTP Unencrypted web traffic

110 TCP POP3 Email retrieval (older protocol)

119 TCP NNTP Network News Transfer Protocol

123 UDP NTP Network Time Protocol

135 TCP RPC Microsoft RPC endpoint mapper

137-139 TCP/UDP NetBIOS Windows file/print sharing (older)

143 TCP IMAP Email retrieval with folder support

161/162 UDP SNMP 161 queries, 162 traps — monitoring

389 TCP/UDP LDAP Active Directory/directory queries

443 TCP HTTPS Encrypted web traffic (TLS/SSL)

445 TCP SMB Windows file sharing, AD replication

514 UDP Syslog System logging to central server

587 TCP SMTP/TLS Email submission (authenticated)

636 TCP LDAPS LDAP over SSL — secure directory

993 TCP IMAPS IMAP over SSL

995 TCP POP3S POP3 over SSL

1433 TCP MSSQL Microsoft SQL Server

1521 TCP Oracle DB Oracle Database

3306 TCP MySQL MySQL/MariaDB Database

3389 TCP RDP Remote Desktop Protocol

5432 TCP PostgreSQL PostgreSQL Database

5900 TCP VNC Virtual Network Computing

8080 TCP HTTP-Alt Alternative HTTP / proxy

SysAdmin Interview Complete Guide Page 18

 8443 TCP HTTPS-Alt Alternative HTTPS

5.2 Protocol Questions

Q: What is the difference between HTTP and HTTPS?

A: HTTP (port 80) sends data in plain text — insecure. HTTPS (port 443) encrypts data using TLS/SSL,
preventing eavesdropping and tampering. Always use HTTPS for sensitive data. HTTP/2 and HTTP/3 are
only available over HTTPS.

Q: What is ICMP and what is it used for?

A: Internet Control Message Protocol — used for network diagnostics and error reporting. ping uses ICMP
echo request/reply. traceroute uses ICMP TTL exceeded messages. Not for data transfer. ICMP is IP
protocol number 1.

Q: What is ARP?
A: Address Resolution Protocol maps IP addresses to MAC addresses on a local network. A device
broadcasts 'Who has IP X?' and the owner replies with its MAC. ARP table caches mappings. ARP
poisoning is a security attack.

Q: What is the difference between SMTP, POP3, and IMAP?

A: SMTP (25/587) sends email. POP3 (110/995) downloads email and usually deletes from server —
single device use. IMAP (143/993) keeps email on server, syncs across multiple devices — preferred for
modern use.

Q: What is DNS over HTTPS (DoH)?

A: DoH encrypts DNS queries by sending them over HTTPS (port 443) instead of plain UDP/TCP port 53.
Prevents ISPs and attackers from seeing which domains you're looking up. Supported in modern
browsers and OS.

SysAdmin Interview Complete Guide Page 19

Chapter 6: Patch Management

6.1 Patch Management Fundamentals

Q: What is patch management and why is it important?

A: Patch management is the process of identifying, acquiring, testing, deploying, and verifying software
updates. Critical for: closing security vulnerabilities, fixing bugs, ensuring compliance, and maintaining
stability.

Q: What is the patch management lifecycle?

A: 1. Inventory (know your assets) → 2. Identify patches (vendor advisories, CVEs) → 3. Test in
non-production → 4. Schedule maintenance window → 5. Deploy patches → 6. Verify deployment → 7.
Document → 8. Report compliance.

Q: What is WSUS?
A: Windows Server Update Services — Microsoft's free tool for managing Windows updates. Allows
admins to approve, decline, and schedule updates. Clients check WSUS instead of Microsoft Update.
Reduces internet bandwidth. Reports on compliance.

Q: How do you configure WSUS with Group Policy?

A: Computer Configuration → Administrative Templates → Windows Components → Windows Update →
Configure Automatic Updates → set WSUS server URL. Set update schedule and auto-install behavior.

Q: What is a patch Tuesday?

A: Microsoft releases security updates on the second Tuesday of every month (Patch Tuesday).
Emergency patches (zero-days) are released out-of-band. Sysadmins should test and deploy within 30
days; critical patches within 72 hours.

Q: What is the difference between a hotfix, patch, and service pack?

A: Hotfix: urgent single fix for a specific issue. Patch: broader fix addressing bugs/security. Service Pack:
cumulative collection of all updates, hotfixes, and patches released since the last service pack.

6.2 Linux Patching

Q: How do you patch a Linux system?

A: Ubuntu/Debian: apt update && apt upgrade -y, or apt dist-upgrade for full upgrade. RHEL/CentOS:
yum update -y or dnf update -y. Check what will be updated with apt list --upgradable or yum
check-update.

Q: How do you apply only security patches in Linux?

A: Ubuntu: apt-get upgrade --only-upgrade $(apt-get -s upgrade 2>&1 | grep Inst | grep security | awk
'{print $2}'). RHEL: yum --security update -y. Or use unattended-upgrades for automatic security patching.

Q: What is unattended-upgrades in Ubuntu?

A: Package that automatically applies security updates without admin intervention. Configure in
/etc/apt/[Link].d/50unattended-upgrades to specify which updates to auto-apply. Emails on completion.
Logs to /var/log/unattended-upgrades/.

Q: How do you check if a Linux system needs a reboot after patching?

A: Check if /var/run/reboot-required file exists (Ubuntu). 'needs-restarting -r' on RHEL. If kernel was
updated, reboot is required. Some packages like glibc also require reboot for security patches to take

SysAdmin Interview Complete Guide Page 20

 effect.

6.3 Patch Scenarios

Q: A critical zero-day vulnerability is announced. What is your process?

A: 1. Assess impact (does it affect your systems?) → 2. Apply vendor-recommended mitigations
immediately → 3. Test patch in dev/staging → 4. Emergency change request → 5. Deploy to production
ASAP → 6. Verify → 7. Monitor for exploitation attempts → 8. Document all actions.

Q: A patch broke a critical application. What do you do?

A: 1. Immediately notify stakeholders → 2. Rollback patch (uninstall or restore snapshot/backup) → 3.
Document the issue → 4. Test patch in isolated environment → 5. Contact vendor for compatibility info or
patch fix → 6. Schedule re-deployment with fix → 7. Update change management records.

Q: How do you ensure patches don't break production systems?

A: Maintain identical test environment → Apply patches to dev first → Automated testing after patching →
User acceptance testing → Staged rollout (10% → 50% → 100%) → Rollback plan ready → Maintenance
windows → Change management approval.

Q: How do you track patch compliance across 500 servers?

A: Use WSUS/SCCM for Windows. Spacewalk/Satellite for RHEL. Ansible/Chef/Puppet for multi-platform.
SIEM tools for reporting. Regular compliance scans with Nessus/Qualys. Monthly reporting to
management on patch status and exceptions.

SysAdmin Interview Complete Guide Page 21

Chapter 7: Hardware & Infrastructure

7.1 Server Hardware

Q: What are the main components of a server?

A: CPU (processor), RAM (memory), Storage (HDD/SSD/NVMe), Motherboard, NIC (network cards),
HBA (storage controllers), Power Supply (redundant), Cooling (fans/liquid), RAID Controller,
BMC/iDRAC/iLO for out-of-band management.

Q: What is the difference between a tower, rack, and blade server?

A: Tower: standalone, like a desktop tower, for small offices. Rack: 1U-4U units mounted in standard
19-inch racks, space-efficient, most common. Blade: modular servers sharing chassis, power, networking
— highest density, higher cost.

Q: What is out-of-band management?

A: Out-of-band management (iDRAC for Dell, iLO for HP, IPMI) allows remote server management
independent of the OS. Can power on/off, access console, check hardware health, update firmware —
even if OS is crashed or server is off.

Q: What is ECC RAM?

A: Error-Correcting Code RAM detects and corrects single-bit memory errors automatically. Required for
servers to prevent data corruption. Non-ECC RAM can silently corrupt data. ECC is slower and more
expensive but essential for server environments.

Q: What are the differences between SSD and HDD?

A: SSD: flash memory, no moving parts, faster (10x+ read/write), lower latency, more reliable, higher cost
per GB, limited write cycles. HDD: magnetic spinning disk, slower, cheaper per GB, higher capacity,
better for bulk storage, mechanical failure risk.

Q: What is NVMe?
A: Non-Volatile Memory Express — interface for SSDs using PCIe bus directly instead of SATA/SAS.
Much faster than SATA SSD: sequential reads 3-7 GB/s vs ~550 MB/s for SATA SSD. Lower latency.
Used in high-performance workloads.

7.2 RAID Levels

RAID Minimum Disks Redundancy Performance Use Case

RAID 0 2 None Excellent R/W Performance, non-critical data

RAID 1 2 1 disk failure Good read, normal write OS drives, critical data

RAID 5 3 1 disk failure Good read, slower write General storage, databases

RAID 6 4 2 disk failures Good read, slower write Large arrays, cold storage

RAID 10 4 1 per mirror Excellent R/W Databases, high IOPS apps

RAID 50 6 1 per RAID5 set Very good Large high-performance storage

Q: A RAID 5 array loses one disk. What do you do?

SysAdmin Interview Complete Guide Page 22

 A: 1. Don't panic — array still online in degraded mode. 2. Replace failed disk immediately with identical
spec. 3. Initiate rebuild (automatic or manual in RAID controller). 4. Monitor rebuild progress (can take
hours). 5. Do NOT let another disk fail — replace quickly. 6. After rebuild, verify integrity. 7. Investigate
root cause.

Q: What is the difference between hardware and software RAID?

A: Hardware RAID: dedicated RAID controller card, offloads processing from CPU, faster, transparent to
OS, controller failure = problem. Software RAID: OS manages RAID (mdadm in Linux, Storage Spaces in
Windows), cheaper, slower, flexible, controller-independent.

Q: What is hot-spare in RAID?

A: A hot-spare is an idle disk in a RAID array that automatically replaces a failed disk and begins
rebuilding without admin intervention. Reduces recovery time. Can be dedicated to one array (dedicated)
or shared across arrays (global).

7.3 Hardware Troubleshooting

Q: How do you troubleshoot a server that won't boot?

A: Check power LEDs and POST codes → Check iDRAC/iLO for alerts → Verify RAM seating and test
with one DIMM → Check RAID controller for disk failures → Verify boot order in BIOS → Try booting from
external media → Check for beep codes → Review server event log → Swap suspect components.

Q: How do you monitor server hardware health?

A: iDRAC/iLO web interface for real-time health → SNMP traps to monitoring system → Server vendor
tools (Dell OpenManage, HP SIM) → Check event logs for hardware errors → Monitor temperatures, fan
speeds, power consumption → Regular firmware updates.

Q: What is a UPS and why is it important?

A: Uninterruptible Power Supply provides battery backup during power outages. Protects servers from
sudden shutdown (data loss, filesystem corruption). Also conditions power (filters surges/sags). Configure
servers to gracefully shutdown when UPS battery reaches threshold via NUT or vendor software.

Q: What is thermal throttling?

A: Thermal throttling is when a CPU reduces its clock speed to lower heat output when temperature
exceeds safe threshold. Causes: poor cooling, blocked airflow, failed fan, ambient temperature too high,
dried thermal paste. Monitor with sensors, check physical cooling.

SysAdmin Interview Complete Guide Page 23

Chapter 8: Security & Firewall

8.1 Security Fundamentals

Q: What is the principle of least privilege?

A: Users and systems should have only the minimum access required to perform their job. Limits blast
radius of compromised accounts. Implement with RBAC, use dedicated service accounts, avoid sharing
admin accounts, regular access reviews.

Q: What is the difference between authentication and authorization?

A: Authentication: verifying identity (who are you?) — username/password, MFA, certificates.
Authorization: verifying permissions (what can you do?) — ACLs, RBAC, policies. Both are required for
secure access control.

Q: What is Multi-Factor Authentication (MFA)?

A: MFA requires two or more factors: Something you know (password), Something you have (token,
phone), Something you are (fingerprint, face). Significantly reduces account compromise risk even if
password is stolen.

Q: What is a firewall and types?

A: A firewall controls network traffic based on rules. Types: Packet Filter (stateless, basic ACL), Stateful
(tracks connections), Application/Layer 7 (deep packet inspection, understands protocols), NGFW
(Next-Gen: IPS, App ID, URL filtering), WAF (Web Application Firewall).

Q: What is the difference between IDS and IPS?

A: IDS (Intrusion Detection System) monitors and alerts on suspicious activity — passive, doesn't block.
IPS (Intrusion Prevention System) monitors and actively blocks threats — inline, can disrupt traffic. IPS
has higher false-positive impact.

Q: What is a DMZ?
A: Demilitarized Zone is a network segment between the internet and internal network. Public-facing
services (web, mail, DNS) are placed in DMZ. If compromised, attackers can't directly reach internal
network. Implemented with two firewalls or a firewall with multiple interfaces.

Q: What is VPN?
A: Virtual Private Network creates encrypted tunnels over public internet. Types: Site-to-Site (connects
networks), Remote Access (user to network), SSL VPN (browser-based). Protocols: IPSec, OpenVPN,
WireGuard. Use split tunneling to route only corporate traffic through VPN.

Q: What is SSL/TLS?
A: Transport Layer Security (TLS, formerly SSL) encrypts communications between client and server.
TLS 1.3 is current standard. TLS 1.0/1.1 are deprecated. Certificate-based authentication. Used in
HTTPS, SMTPS, IMAPS, LDAPS.

8.2 Incident Response

Q: You discover a server has been compromised. What do you do?

A: 1. Isolate immediately (disconnect from network) → 2. Preserve evidence (take memory dump, disk
image) → 3. Notify security team and management → 4. Identify scope (what was accessed?) → 5.
Preserve logs → 6. Remediate (clean or rebuild) → 7. Restore from known-good backup → 8. Root cause

SysAdmin Interview Complete Guide Page 24

 analysis → 9. Implement controls to prevent recurrence → 10. Document and report.

Q: What is a vulnerability scan vs penetration test?

A: Vulnerability scan: automated tool identifies known vulnerabilities (Nessus, Qualys) — broad coverage,
no exploitation. Penetration test: skilled professional attempts to exploit vulnerabilities to determine
real-world impact — deeper, manual, shows actual risk.

Q: What are common types of cyber attacks?

A: Phishing — email-based social engineering. Ransomware — encrypts data for ransom. Brute force —
password guessing. SQL injection — database attacks via input. XSS — cross-site scripting. MITM —
intercepts communications. DDoS — overwhelms services. Insider threats.

Q: How do you harden a Linux server?

A: Disable root SSH login (PermitRootLogin no) → Use SSH keys instead of passwords → Configure
firewall (iptables/firewalld) → Remove unnecessary packages → Keep patched → Enable
SELinux/AppArmor → Configure fail2ban → Audit with Lynis → Monitor logs → Disable unused services
→ Use strong password policies.

SysAdmin Interview Complete Guide Page 25

Chapter 9: Virtualization, Cloud & Backup

9.1 Virtualization

Q: What is virtualization and what are its benefits?

A: Virtualization creates multiple virtual machines on one physical host using a hypervisor. Benefits:
server consolidation (fewer physical servers), cost savings, easy provisioning, snapshots, high
availability, disaster recovery, hardware independence.

Q: What is the difference between Type 1 and Type 2 hypervisors?

A: Type 1 (bare-metal): runs directly on hardware — VMware ESXi, Microsoft Hyper-V, Citrix XenServer.
Better performance, used in enterprise. Type 2 (hosted): runs on top of OS — VMware Workstation,
VirtualBox. Used for development/testing.

Q: What is a snapshot in virtualization?

A: A snapshot captures the state of a VM at a point in time (disk, memory, configuration). Used before
making risky changes — can revert instantly. Not a backup (same storage). Can chain multiple
snapshots. Too many snapshots degrade performance.

Q: What is vMotion in VMware?

A: vMotion migrates running VMs between ESXi hosts with zero downtime. Requires shared storage and
network connectivity. Storage vMotion migrates VM disk files. DRS (Distributed Resource Scheduler)
uses vMotion to balance load automatically.

Q: What is High Availability (HA) in VMware?

A: VMware HA monitors hosts and automatically restarts VMs on other hosts if a host fails. Requires
cluster with shared storage. Different from FT (Fault Tolerance) which runs simultaneous VM copy with no
data loss or downtime.

Q: What is the difference between VMware and Hyper-V?

A: VMware: market leader, most features, vSphere suite, enterprise-grade, licensed cost. Hyper-V:
Microsoft free with Windows Server, integrated with Microsoft ecosystem, good AD integration, improving
feature set. Both support clustering and live migration.

9.2 Cloud Basics

Q: What are the cloud service models?

A: IaaS (Infrastructure as a Service): virtual machines, storage, networking — AWS EC2, Azure VMs.
PaaS (Platform as a Service): managed platform for apps — AWS Elastic Beanstalk, Azure App Service.
SaaS (Software as a Service): complete applications — Office 365, Salesforce, Gmail.

Q: What is the difference between public, private, and hybrid cloud?

A: Public cloud: shared infrastructure, provider manages hardware, pay-as-you-go (AWS, Azure, GCP).
Private cloud: dedicated to one organization, on-premises or hosted. Hybrid: combination of both,
workloads can move between them based on needs and compliance.

Q: What is auto-scaling?
A: Auto-scaling automatically adjusts the number of compute resources based on demand. Scale out
adds instances when load increases; scale in removes them when load decreases. Saves cost (only pay
for what you use) and handles traffic spikes.

SysAdmin Interview Complete Guide Page 26

 Q: What is a CDN?
A: Content Delivery Network distributes content across geographically distributed servers/nodes. Users
get content from nearest node — lower latency, better performance. Reduces origin server load.
Examples: Cloudflare, AWS CloudFront, Akamai.

9.3 Backup & Disaster Recovery

Q: What is the 3-2-1 backup rule?

A: Keep 3 copies of data. Store on 2 different media types (disk + tape, or local + cloud). Keep 1 copy
offsite. This protects against single point of failure, hardware failure, fire/flood, and ransomware.

Q: What is the difference between backup and replication?

A: Backup: periodic copy of data at a point in time, can recover from days/weeks ago, protects against
data corruption/deletion. Replication: real-time or near-real-time copy, faster recovery, but replicates
corruption/deletion immediately.

Q: What is RTO and RPO?

A: RTO (Recovery Time Objective): maximum acceptable downtime — how quickly must systems be
restored? RPO (Recovery Point Objective): maximum acceptable data loss — how old can the recovered
data be? Lower RTO/RPO = more expensive solution required.

Q: What is the difference between a cold, warm, and hot DR site?

A: Cold site: empty facility, no pre-deployed equipment, cheapest, days to weeks recovery. Warm site:
some infrastructure ready, hours to days recovery. Hot site: fully operational replica, near-zero recovery
time, most expensive.

Q: How do you test a backup?

A: Restoration test to isolated environment → Verify data integrity and completeness → Test application
functionality on restored data → Document restore time → Test regularly (quarterly minimum) → Never
assume backup works without testing!

SysAdmin Interview Complete Guide Page 27

Chapter 10: Day-to-Day Scenarios

10.1 Common Real-World Scenarios

Q: A user says 'the internet is slow'. How do you troubleshoot?

A: 1. Is it one user or all users? 2. Specific sites or all? 3. Test speed ([Link]) → 4. Check DNS
resolution (nslookup) → 5. Check proxy settings → 6. Test different browser/device → 7. Check interface
utilization on router/switch → 8. Check ISP status page → 9. Traceroute to identify bottleneck → 10.
Check for bandwidth-heavy applications on network.

Q: A user can't send emails. How do you troubleshoot?

A: Check if receiving works → Test webmail → Verify SMTP settings (server, port, auth) → Check if
account is over quota → Review NDR (bounce) message for error codes → Check antivirus not blocking
SMTP → Verify DNS MX records → Check if IP is blacklisted (MX Toolbox) → Review mail server logs.

Q: A server is showing 100% CPU. What do you do?

A: 1. Don't panic, collect info first. 2. top/htop to identify process. 3. Review process — scheduled job,
runaway app, malware? 4. strace -p PID to see system calls. 5. Check logs. 6. If malware suspected —
isolate. 7. If legitimate — optimize or schedule for off-hours. 8. Kill only if necessary. 9. Root cause
analysis. 10. Implement monitoring alerts.

Q: Users report the file server is slow. How do you troubleshoot?

A: Check server resources (CPU, RAM, disk I/O) → iostat, iotop for disk bottleneck → Check network
utilization (iftop, nethogs) → Check SMB connections and open files → Review antivirus scan schedule →
Check for failing disk (SMART data) → Check RAID status → Review event logs for errors → Consider
adding RAM or upgrading storage.

Q: A printer isn't working for some users but works for others. What do you check?
A: Check if affected users have print permissions → Review printer queue for stuck jobs → Compare
working vs non-working user settings/profiles → Check if driver is same version → Test with a different
document → Check if GPO is applying correctly → Review printer security settings → Test from
command line (net print).

Q: A new employee needs to start working. What is your onboarding process?

A: Create AD account with correct OU → Set temporary password (force change on first login) → Add to
appropriate security/distribution groups → Create email mailbox → Apply appropriate GPO → Set up
workstation/laptop → Install required software → Configure VPN access if needed → Provide credentials
securely → Document and get manager sign-off.

Q: How do you handle a hard disk failure on a production server?

A: Check RAID controller status for drive identification → Note which drive failed (slot/serial number) →
Order replacement drive (same specs) → Schedule maintenance if RAID 5/6 is already degraded →
Hot-swap if supported → Monitor rebuild progress → Alert team → Document incident → Review
monitoring to catch earlier next time.

10.2 Change Management

Q: What is change management and why is it important?

A: Change management is a structured process for requesting, reviewing, approving, and documenting
changes to IT infrastructure. Prevents unauthorized changes, reduces risk, ensures rollback plans exist,

SysAdmin Interview Complete Guide Page 28

 maintains audit trail, and improves communication between teams.

Q: What is a CAB (Change Advisory Board)?

A: CAB is a committee that reviews, approves, or rejects proposed changes to IT systems. Typically
includes IT managers, service owners, and business representatives. Emergency CAB (ECAB) handles
urgent changes with fewer members for faster approval.

Q: What should a change request include?

A: Description of change, business justification, risk assessment, implementation plan (step-by-step),
rollback plan, testing plan, maintenance window, approval sign-offs, impacted systems/users, and
communication plan.

SysAdmin Interview Complete Guide Page 29

Chapter 11: Tough & Tricky Questions (L2/L3)

11.1 Advanced Scenario Questions

Q: You have a memory leak in a production application. How do you handle it without
downtime?
A: Monitor memory growth with top/ps → Identify leaking process → If supported, increase Java heap
(-Xmx) or configure memory limits → Schedule rolling restarts (restart one instance at a time behind load
balancer) → Enable JVM/application heap dumps for developer analysis → Long-term: apply application
fix/patch → Monitor after fix.

Q: Two servers can't communicate but are on the same subnet. How do you troubleshoot?
A: Ping by IP (not name to rule out DNS) → Check ARP tables (arp -n) for both hosts → Check firewall on
both hosts → Verify no host-based firewall blocking → Check VLAN assignments on switch ports →
Check for duplicate IPs → Verify subnet masks match → Capture traffic with tcpdump → Check NIC
status.

Q: Explain how you would set up a highly available web application infrastructure.
A: Load balancer (HAProxy/Nginx/F5) distributing across multiple web servers → Web servers in RAID +
clustered → Shared backend storage (NFS/SAN/NAS) → Database cluster (MySQL Galera/AlwaysOn) →
Caching layer (Redis/Memcached) → CDN for static content → Regular health checks → Automated
failover → Monitoring and alerting.

Q: What is TCP half-open and how does it relate to SYN flood attacks?
A: TCP half-open connections are SYN received but no SYN-ACK returned yet. SYN flood attack sends
thousands of SYNs with spoofed IPs — server allocates resources for each, exhausting connection table.
Mitigation: SYN cookies (server doesn't store state until ACK), rate limiting, firewall SYN flood protection.

Q: Explain split-brain in clustering and how to prevent it.

A: Split-brain occurs when cluster nodes lose communication but both believe they're the primary,
causing data corruption. Prevention: Quorum (majority voting), witness/arbiter node, STONITH (Shoot
The Other Node In The Head — fence/kill the other node), dedicated heartbeat links.

Q: A user's home directory is full but df shows disk has space. Explain.
A: The user likely hit their disk quota. Check with 'quota username' or 'repquota -a'. Or inode exhaustion
— check 'df -i'. Or the directory has a separate mount with its own disk. Or a disk is showing as full
because of reserved blocks (tune2fs -m 5% for root reserve).

Q: How does DNS caching affect troubleshooting?

A: If you change a DNS record but users still get old IP, DNS cache is serving stale data. TTL controls
how long caches hold records. Client: ipconfig /flushdns (Windows) or sudo systemd-resolve
--flush-caches. For immediate propagation, use low TTL before planned changes. Check with nslookup
against authoritative nameserver directly.

Q: What is the difference between process, thread, and coroutine?

A: Process: independent execution unit with own memory space, heavyweight. Thread: lightweight
execution unit sharing process memory, faster context switch. Coroutine: cooperative multitasking within
a single thread, yields execution voluntarily — used in async programming (Python asyncio).

Q: How would you migrate 100 servers from one VLAN to another with minimal downtime?

SysAdmin Interview Complete Guide Page 30

 A: Plan: document current config → create new VLAN → configure inter-VLAN routing to allow temporary
communication → update DHCP scopes → test with 1-2 servers first → migrate in batches during
off-hours → update DNS records → update access lists and firewall rules → decommission old VLAN
after all migrated → monitor and verify.

11.2 Configuration Questions

Q: What is SSH key-based authentication and how do you set it up?

A: Generate key pair: ssh-keygen -t rsa -b 4096. Copy public key to server: ssh-copy-id user@server
(adds to ~/.ssh/authorized_keys). Set permissions: chmod 700 ~/.ssh, chmod 600
~/.ssh/authorized_keys. Disable password auth in /etc/ssh/sshd_config: PasswordAuthentication no.

Q: How do you configure NTP on a Linux server?

A: Install: apt install chrony. Edit /etc/[Link], add 'server [Link] iburst'. Enable and start:
systemctl enable --now chrony. Verify: chronyc sources -v. For Windows: w32tm /config
/manualpeerlist:[Link] /syncfromflags:manual /update.

Q: How do you set up log rotation in Linux?

A: logrotate is standard. Config files in /etc/logrotate.d/. Example config: /var/log/app/*.log { daily rotate 14
compress missingok notifempty sharedscripts postrotate systemctl reload app endscript }. Run manually:
logrotate -f /etc/[Link].

Q: How do you configure sudo without a password for a specific command?

A: Edit /etc/sudoers with visudo. Add: username ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx.
This allows user to restart nginx without password but still requires password for other sudo commands.

SysAdmin Interview Complete Guide Page 31

Chapter 12: HR Round & Soft Skills

12.1 Common HR Questions

Q: Tell me about yourself.

A: Structure: Present → Past → Future. 'I am a System Administrator with X years of experience
specializing in [Linux/Windows/networking]. In my current role at [company], I manage [what]. Previously I
[past role/achievement]. I am looking to [growth/new challenge] which aligns with this role at your
company.'

Q: Why do you want to leave your current job?

A: Stay positive. Acceptable reasons: seeking growth opportunities, want to work with new technologies,
company reorganization, relocation, better work-life balance, desire to join a larger/smaller team. NEVER:
bad-mouth current employer, mention salary first, or say you were fired.

Q: What is your greatest strength?

A: Choose a strength relevant to the sysadmin role. Examples: 'I'm highly systematic in troubleshooting —
I methodically isolate variables before jumping to conclusions' or 'I'm proactive about documentation and
automation which helps the team work efficiently.'

Q: What is your greatest weakness?

A: Choose a real weakness you've actively worked to improve. Example: 'I used to struggle with saying no
to requests, which affected my priorities. I've learned to assess urgency vs importance and communicate
timelines effectively. I now use a ticketing system to track and communicate.'

Q: Where do you see yourself in 5 years?

A: 'I want to deepen my expertise in [cloud/security/automation] and move into a senior or lead engineer
role. I hope to contribute significantly to [company] while building skills in [relevant area]. I'm interested in
potentially mentoring junior team members as I grow.'

Q: Tell me about a time you handled a major incident.

A: Use STAR method: Situation (context), Task (your responsibility), Action (what YOU did), Result
(outcome). 'During a database outage affecting 500 users, I [actions taken], coordinated with [team],
restored service in [time], and implemented [preventive measure] to avoid recurrence.'

Q: How do you prioritize when multiple critical issues arise?

A: 'I assess impact and urgency: how many users are affected, is revenue impacted, is there a
workaround? I communicate status to stakeholders immediately, delegate if possible, and work most
critical first. I document as I go and do a proper handoff if shift ends.'

12.2 Behavioral Questions (STAR Method)

Q: Tell me about a time you went above and beyond.

A: Example answer: 'Our monitoring system wasn't alerting on memory issues (S). I was responsible for
ensuring system reliability (T). I spent time outside regular hours researching and configured custom
memory threshold alerts and automated responses (A). This helped us prevent 3 potential outages in the
next month (R).'

Q: Describe a conflict with a coworker and how you resolved it.

SysAdmin Interview Complete Guide Page 32

 A: 'My colleague and I disagreed on the right approach to a firewall change. I requested a meeting,
listened to their reasoning, shared my concerns with evidence, and we agreed to test both approaches in
staging. We found a combined solution better than either original idea and documented the process for
future reference.'

Q: Tell me about a mistake you made and what you learned.

A: Be honest but demonstrate learning. 'I once ran a script on the wrong server during maintenance,
affecting production. I immediately raised the alarm, we restored from backup in 45 minutes. I learned to
always double-check the hostname and implement change controls with peer review for all production
changes.'

Q: How do you keep your technical skills current?

A: Good answers: Follow vendor blogs and security advisories, home lab for practice, certifications
(CompTIA, Cisco, Microsoft), online courses (Linux Foundation, A Cloud Guru, Udemy), tech
communities (Reddit r/sysadmin), industry conferences, reading documentation and release notes.

12.3 Situational Questions

Q: Your manager asks you to bypass change management for an urgent change. What do you
do?
A: Assess if it's truly an emergency (service down, security breach). If yes, many orgs have emergency
change procedures — use them. Document everything in real-time. If not a true emergency, explain the
risk respectfully: 'I understand the urgency, but uncontrolled changes have caused outages before. Can
we use the emergency change process? It only takes 30 minutes.'

Q: You're asked to implement something you believe is technically wrong. What do you do?
A: 1. Ensure you fully understand their requirement first. 2. Clearly explain your technical concern with
evidence/examples. 3. Propose an alternative solution. 4. If overruled by management after explanation,
document your concern in writing. 5. Implement as directed while flagging the risk. 6. Never implement
something that creates a security risk or legal issue.

Q: How do you handle working under pressure during an outage?

A: 'I stay calm and methodical. First, I assess scope and impact, notify stakeholders with an initial status,
then focus on restoring service using a systematic approach. I communicate updates every 15-30
minutes. I avoid making multiple changes simultaneously. After resolution, I document a timeline and do a
post-incident review.'

Q: A user is frustrated and being rude while reporting an issue. How do you handle it?
A: Stay calm, don't take it personally, empathize: 'I understand this is causing you significant frustration
and I'm going to make this my top priority.' Focus on solving the problem. Don't argue. Escalate if abuse
continues. After resolution, follow up to ensure satisfaction. Document the interaction.

12.4 Technical HR Questions

Q: What certifications do you have or plan to get?

A: Mention existing certs. Show roadmap: 'I currently have CompTIA A+ and Network+. I'm working on my
RHCSA for Linux and CCNA for networking. After that I plan to pursue Microsoft MS-102 (Endpoint
Administrator) and eventually move toward cloud certifications like AWS SysOps.'

Q: What is your experience with ticketing systems?

A: Mention familiarity with: ServiceNow, Jira Service Management, Zendesk, Freshdesk, ManageEngine.
Emphasize: proper documentation, SLA adherence, follow-through, clear communication with users,

SysAdmin Interview Complete Guide Page 33

 accurate categorization and priority setting.

Q: How do you document your work?

A: 'I document everything in [Wiki/Confluence/SharePoint]. For each project, I write an overview, steps
taken, configurations made, and lessons learned. For incidents, I write RCA reports. I believe good
documentation makes the team more resilient and onboarding easier.'

12.5 Salary & Career Questions

Q: What are your salary expectations?

A: 'Based on my research on industry standards for this role in [location] and my [X] years of experience,
I'm looking for a range of [X to Y]. However, I'm open to discussion considering the overall compensation
package, growth opportunities, and work environment.'

Q: Do you prefer working in a team or independently?

A: 'I enjoy both. I work well independently — sysadmin often requires focused solo work for
troubleshooting and configurations. But I also value collaboration, especially for large projects, knowledge
sharing, and during major incidents where team coordination is critical. I adapt to what the situation
requires.'

Q: What do you find most challenging about sysadmin work?

A: Good answers: keeping up with ever-changing technology landscape, balancing security with usability,
managing end-user expectations during outages, justifying technical decisions to non-technical
management. Show self-awareness and that you've developed strategies to address challenges.

Q: Do you have questions for us?

A: ALWAYS have questions: 'What does the on-call rotation look like?' 'What technologies are you
planning to adopt in the next 12 months?' 'What does success look like for this role in the first 90 days?'
'What are the biggest challenges the team is currently facing?' 'How is the team structured?' These show
genuine interest.

12.6 Additional Soft Skills Topics

Q: How do you explain technical issues to non-technical users?

A: Avoid jargon, use analogies: 'The server is like a restaurant kitchen — right now too many orders came
in at once so food is slow.' Focus on impact and timeline not technical cause. Keep it simple and
reassuring. Check understanding by asking if they have questions.

Q: How do you manage multiple projects simultaneously?

A: Use ticketing/project management tools → prioritize by impact/urgency/deadline → time-block calendar
for focused work → daily stand-ups for visibility → communicate proactively if deadlines are at risk →
delegate where possible → review and reprioritize weekly.

Q: What is your approach to learning a new technology?

A: Read official documentation first → follow tutorials → set up a lab environment and practice → join
community forums → take online course if complex → document learnings → apply to real work
gradually. I build labs using VMs or cloud free tier to experiment safely.

Q: How do you handle on-call duties?

A: Ensure phone is always on and charged → have laptop ready → document runbooks for common
issues → know escalation paths → respond within SLA even if just to acknowledge → keep team
informed → for complex issues, don't hesitate to escalate → log all actions during on-call incidents.

SysAdmin Interview Complete Guide Page 34

Interview Success Tips

Before the Interview

Research the company and their tech stack. Review the job description carefully. Prepare examples for
each skill listed. Practice STAR-method answers. Test your technical environment for video interviews.
Prepare questions to ask.

During Technical Questions

Think out loud — interviewers want to see your reasoning process. Ask clarifying questions — real
sysadmins don't guess. Admit when you don't know something but explain how you'd find out. Use
specific examples from experience. Draw diagrams if helpful.

During HR Questions
Be concise but complete. Use the STAR method for behavioral questions. Be honest — consistency
matters. Show enthusiasm for the technology. Demonstrate a growth mindset.

After the Interview

Send a thank-you email within 24 hours. Reference something specific from the interview. Reiterate your
interest. Connect on LinkedIn professionally.

Key Certifications by Level

L1: CompTIA A+, ITIL Foundation. L2: CompTIA Network+, Security+, MCSA, RHCSA. L3: RHCE,
CCNA, MCSE, Azure/AWS SysOps. Senior: CISSP, CISM, AWS SA Professional, Cisco CCIE.

Best of luck in your interviews! — Prepared with care for all aspiring System Administrators

SysAdmin Interview Complete Guide Page 35