Top Active Directory Interview Questions & Answers

1) Mention what is Active Directory?

 An active directory is a directory structure used on Microsoft Windows based servers and computers to store data and information about networks and domains.

2) Mention what are the new features in Active Directory (AD) of Windows server 2012?

dcpromo (Domain Controller Promoter) with improved wizard: It allows you to view all the steps and review the detailed results during the installation process Enhanced Administrative Center: Compared to the earlier version of active directory, the administrative center is well designed in Windows 2012. The exchange management console is well designed Recycle bin goes GUI: In windows server 12, there are now many ways to enable the active directory recycle bin through the GUI in the Active Directory Administrative Center, which was not possible with the earlier version Fine grained password policies (FGPP): In windows server 12 implementing FGPP is much easier compared to an earlier It allows you to create different password policies in the same domain Windows Power Shell History Viewer: You can view the Windows PowerShell commands that relates to the actions you execute in the Active Directory Administrative Center UI

3) Mention which is the default protocol used in directory services?

The default protocol used in directory services is LDAP ( Lightweight Directory Access Protocol).

4) Explain the term FOREST in AD?

Forest is used to define an assembly of AD domains that share a single schema for the AD. All DC’s in the forest share this schema and is replicated in a hierarchical fashion among them.

5) Explain what is SYSVOL?

The SysVOL folder keeps the server’s copy of the domain’s public files. The contents such as users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.

6) Mention what is the difference between domain admin groups and enterprise admins group in AD?

Enterprise Admin Group

• Members of this group have complete control of all domains in the forest
• By default, this group belongs to the administrators group on all domain controllers in the forest
• As such this group has full control of the forest, add users with caution

Domain Admin Group

• Members of this group have complete control of the domain
• By default, this group is a member of the administrators group on all domain controllers, workstations and member servers at the time they are linked to the domain 
• As such the group has full control in the domain, add users with caution

7) Mention what system state data contains?

• System state data contains
• Contains startup files
• Registry
• Com + Registration Database
• Memory page file
• System files
• AD information
• SYSVOL Folder
• Cluster service information

8) Mention what is Kerberos?

Kerberos is an authentication protocol for network. It is built to offer strong authentication for

server/client applications by using secret-key cryptography.

9) Explain where does the AD database is held? What other folders are related to AD?

AD database is saved in %systemroot%/ntds. In the same folder, you can also see other files;

these are the main files controlling the AD structures they are

dit

log

res 1.log

log

chk

10) Mention what is PDC emulator and how would one know whether PDC emulator is working or not?

PDC Emulators: There is one PDC emulator per domain, and when there is a failed

authentication attempt, it is forwarded to PDC emulator. It acts as a “tie-breaker” and it

controls the time sync across the domain.

These are the parameters through which we can know whether PDC emulator is working or not.

Time is not syncing

User's accounts are not locked out

Windows NT BDCs are not getting updates

If pre-windows 2000 computers are unable to change their passwords

11) Mention what are lingering objects?

Lingering objects can exists if a domain controller does not replicate for an interval of time that

is longer than the tombstone lifetime (TSL).

12) Mention what is TOMBSTONE lifetime?

Tombstone lifetime in an Active Directory determines how long a deleted object is retained in

Active Directory. The deleted objects in Active Directory is stored in a special object referred as

TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is not set in the

forest configuration.

13) Explain what is Active Directory Schema?

Schema is an active directory component describes all the attributes and objects that the

directory service uses to store data.

14) Explain what is a child DC?

CDC or child DC is a sub domain controller under root domain controller which share name

space

15) Explain what is RID Master?

RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.

16) Mention what are the components of AD?

Components of AD includes

Logical Structure: Trees, Forest, Domains and OU

Physical Structures: Domain controller and Sites

17) Explain what is Infrastructure Master?

Infrastructure Master is accountable for updating information about the user and group and

global catalogue.

18) Define Active Directory

Active Directory is a database that stores data pertaining to the users within a network as well as the objects within the network. Active Directory allows the compilation of networks that connect with AD, as well as the management and administration thereof.

19) What is a domain within Active Directory?

A domain represents the group of network resources that includes computers, printers, applications and other resources. Domains share a directory database. The domain is represented by address of the resources within the database. A domain address generally looks like 125.170.456. A user can log into a domain to gain access to the resources that are listed as part that domain.

20) What is the domain controller?

The server that responds to user requests for access to the domain is called the Domain Controller or DC. The Domain Controller allows a user to gain access to the resources within the domain through the use of a single username and password.

21) Explain what domain trees and forests are

Domains that share common schemas and configurations can be linked to form a contiguous namespace.  Domains within the trees are linked together by creating special relationships between the domains based on trust.

Forests consist of a number of domain trees that are linked together within AD, based on various implicit trust relationships. Forests are generally created where a server setup includes a number of root DNS addresses. Trees within the forest do not share a contiguous namespace.

22) What is LDAP?

LDAP is an acronym for Lightweight Directory Access Protocol and it refers to the protocol used to access, query and modify the data stored within the AD directories. LDAP is an internet standard protocol that runs over TCP/IP.

23) Explain what intrasite and intersite replication is and how KCC facilitates replication

The replication of DC’s inside a single site is called intrasite replication whilst the replication of DC’s on different sites is called Intersite replication. Intrasite replication occurs frequently while Intersite replication occurs mainly to ensure network bandwidth.

KCC is an acronym for the Knowledge Consistency Checker. The KCC is a process that runs on all of the Domain Controllers. The KCC allows for the replication topology of site replication within sites and between sites. Between sites, replication is done through SMTP or RPC whilst Intersite replication is done using procedure calls over IP.

24) Name a few of the tools available in Active Directory and which tool would you use to troubleshoot any replication issues?

Active Directory tools include:

·         Dfsutil.exe

·         Netdiag.exe

·         Repadmin.exe

·         Adsiedit.msc

·         Netdom.exe

·         Replmon.exe

Replmon.exe is a graphical tool designed to visually represent the AD replication. Due to its graphical nature, replmon.exe allows you to easily spot and deal with replication issues.

25) What tool would you use to edit AD?

Adsiedit.msc is a low level editing tool for Active Directory. Adsiedit.msc is a Microsoft Management Console snap-in with a graphical user interface that allows administrators to accomplish simple tasks like adding, editing and deleting objects with a directory service. The Adsiedit.msc uses Application Programming Interfaces to access the Active Directory. Since Adsiedit.msc is a Microsoft Management Console snap-in, it requires access MMC and a connection to an Active Directory environment to function correctly.

26) How would you manage trust relationships from the command prompt?

Netdom.exe is another program within Active Directory that allows administrators to manage the Active Directory. Netdom.exe is a command line application that allows administrators to manage trust relationship within Active Directory from the command prompt. Netdom.exe allows for batch management of trusts. It allows administrators to join computers to domains. The application also allows administrators to verify trusts and secure Active Directory channels.

27) Where is the AD database held and how would you create a backup of the database?

The database is stored within the windows NTDS directory. You could create a backup of the database by creating a backup of the System State data using the default NTBACKUP tool provided by windows or by Symantec’s Netbackup. The System State Backup will create a backup of the local registry, the Boot files, the COM+, the NTDS.DIT file as well as the SYSVOL folder.

28) What is SYSVOL, and why is it important?

SYSVOL is a folder that exists on all domain controllers. It is the repository for all of the active directory files. It stores all the important elements of the Active Directory group policy. The File Replication Service or FRS allows the replication of the SYSVOL folder among domain controllers. Logon scripts and policies are delivered to each domain user via SYSVOL.

SYSVOL stores all of the security related information of the AD.

29) Briefly explain how Active Directory authentication works

When a user logs into the network, the user provides a username and password. The computer sends this username and password to the KDC which contains the master list of unique long term keys for each user. The KDC creates a session key and a ticket granting ticket. This data is sent to the user’s computer. The user’s computer runs the data through a one-way hashing function that converts the data into the user’s master key, which in turn enables the computer to communicate with the KDC, to access the resources of the domain.