Top 10 Active Directory Interview Questions And Answers - Part 2 | Tech Aarya Blog - AD L3 Interview

 Top 10 Active Directory Interview Questions And Answers - Part 2 | Tech Aarya Blog - AD L3 Interview

Question 11 - How do you force replication between two domain controllers in a site?

Answer –

Step 1 Log in to one of your DCs and open Active Directory Sites and Services.

Step 2 Navigate to the site for which you’d like to replicate the domain controllers. Expand it by clicking the arrowhead next to the site name. Expand the Servers. Expand the DC which you’d like to replicate. Click on NTDS Settings.

Step 3 In the right pane, right-click on the server and select Replicate Now.

Step 4 Depending on how many DCs there are, this could take less than a second to a few minutes. When it is complete, you’ll see the notification, “Active Directory Domain Services has replicated the connections.”. Click OK to finish.

 

Question 12 - How do you change the schedule for replication between two domain controllers in a site?

Answer –

Step 1 Start the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. (Select Programs, Step 2 Administrative Tools, Active Directory Sites and Services from the Start menu.)

Step 3 Expand the Sites branch to show the various sites.

Step 4 Expand the site that contains the domain controllers. (The default site Default-First-Site-Name might be your only site.)

Step 5 Expand the servers.

Step 6 Select the server you want to configure replication to, and expand it.

Step 7 Double-click NTDS Settings for the server.

Step 8 Right-click the server you want to set replication from.

Step 9 Select Properties from the context menu.

Step 10 Select the Active Directory Service connection tab.

Step 11 Click Change Schedule.

Step 12 Modify the replication as necessary (see the Screen), and Click OK.

Question 13 - How do you rename a site?

Answer - When you install your first domain controller, the domain controller creates the default site Default-First-Site-Name. This name isn’t helpful, so you might want to rename it.

 

Step 1 Start the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. (Select Programs, Step 2 Administrative Tools, Active Directory Sites and Services from the Start menu.)

Expand the Sites branch.

Step 3 Right-click the site you want to rename (i.e., Default-First-Site-Name), and select Rename, as the Screen shows. (Alternatively, select the site and press F2.)

Step 4 Enter the new name, and press Enter.

 

Question 14 - What DNS Records are added in DNS When you create a Domain?

Answer –

1 - SOA (start of authority) record: In an AD-integrated zone, each DC/DNS server will have an SOA record with the server’s own IP address in its data field. This indicates that the server hosts a writeable copy of the zone. In a non-AD-integrated zone, only the primary server will host a writeable copy of the zone, so it will be the only server with an SOA record.

2 - NS (name server) records: There should be one of these for each DNS server in the domain.

3 - A (host) records: Each DC should have two host records in this location: one for the DC’s unique hostname and one for the domain. The latter records will have the name (same as parent folder). The data field of each of these records should contain the DC’s IP address.

 

Question 15 – How to perform AD Online defragmentation manually 2K3?

Answer –

Using a graphical user interface

Open LDP.

From the menu, select Connection → Connect.

For Server, enter the name of the target domain controller.

For Port, enter 389.

Click OK.

From the menu, select Connection → Bind.

Enter credentials of a user from one of the administrator groups.

Click OK.

From the menu, select Browse → Modify.

Leave the Dn blank.

For Attribute, enter DoOnlineDefrag.

For Values, enter 180.

For Operation, select Add.

Click Enter.

Click Run.

 

Question 16 - How do you audit Specifc Active Directory Objects?

Answer –

In order to Audit Active Directory you first you need to enable the Auditing for objects in Active Directory.

Step 1 To configure auditing for specific Active Directory objects:

Step 2 Select Start > Programs > Administrative Tools, and then select Active Directory Users and Computers.

Step 3 Make sure that you select Advanced Features on the View menu.

Step 4 Right-click the Active Directory object that you want to audit, and then select Properties.

Step 5 Select the Security tab, and then select Advanced.

Step 6 Select the Auditing tab, and then select Add.

Step 7 Take one of the following actions:

Type the name of either the user or the group whose access you want to audit in the Enter the object name to select box, and then select OK.

In the list of names, double-click either the user or the group whose access you want to audit.

Select either the Successful or the Failed check box for the actions that you want to audit, and then select OK.

Step 8 Select OK, and then select OK.

 

Question 17 - How do I check my AD replication status?

Answer - Running the repadmin /showrepl can help you view the replication status.

If you would like an overall replication health summary, the command repadmin /replsummary should help.

 

Question 18 - How do I fix Active Directory replication issues?

Answer - To diagnose replication errors, users can run the AD status replication tool that is available on DCs or read the replication status by running repadmin /showrepl.

To view only the replication errors, use the command: repadmin /showrepl /errorsonly

 

Question 19 - How do you force AD replication?

Answer - To force replication between two domain controllers, run the following command on the DC you wish to update:

repadmin /syncall <DC-name> /AeD

In case you want to make changes on a DC and push replication to other DCs, the following command should do the trick:

repadmin /syncall <DC-name> /APeD

 

Question 20 - How often does AD replication occur?

Answer - Intra-site replication: With the exception of critical directory updates that are replicated immediately, the source DC updates changes to its closest replication partner every 15 seconds.

 

Inter-site replication: By default, the replication interval is 180 minutes and can be adjusted to be as low as 15 minutes.

 

Question 21 - What is the default replication time for Active Directory?

Answer -  Intra-site replication: With the exception of critical directory updates that are replicated immediately, the source DC updates changes to its closest replication partner every 15 seconds.

 

Inter-site replication: By default, the replication interval is 180 minutes and can be adjusted to be as low as 15 minutes.

 

To change the default replication time, users can go into the Active Directory Sites and Services snap-in → Inter-site transport container → IP container → Site link you want to modify the interval on → Enter your desired value besides "Replicate every" → Save changes

Top 10 Active Directory Interview Questions And Answers - Part 1 - Tech Aarya Blog

 Top 10 Active Directory Interview Questions And Answers - Part 1 - Tech Aarya Blog

Question 1 What are the (Flexible Single Master Operation) FSMO roles?

Answer: There Total 5 FSMO Roles, 2 On Forest Level And 3 on Domain Lavel

Forest Level Roles are Schema Master and Domain Naming Master

Domain Level Roles are PDC Emulator, RID Master and Infrastructure Master

 

Question 2 What role does a PDC emulator play?

Answer The DC with the Primary Domain Controller Emulator role is the authoritative DC in the domain. The PDC Emulator responds to authentication requests, changes passwords, and manages Group Policy Objects. And the PDC Emulator tells everyone else what time it is! It’s good to be the PDC.

 

Question 3 How do you change the RID Master FSMO?

Answer

Step 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on the domain controller (DC). (From the Start menu, select Programs, Administrative Tools, Active Directory Users and Computers.)

Step 2.In the leftmost pane, right-click the domain, and select Connect to Domain Controller.

Step 3. Select the DC you want to make the Flexible Single-Master Operation (FSMO) role owner, as the Screen shows, and click OK.

Step 4. Right-click the domain again, and select Operations Master from the context menu.

Step 5. Select the RID Pool tab.

Step 6. You’ll see the name of the machine that holds the RID Master FSMO role

Step 7. To make a change, click Change.

Step 8. Click OK in the confirmation dialog box.

Step 9. Finally, you’ll see a dialog box confirming the role change.

 

Question 4: How do you change the PDC Emulator FSMO?

Answer

Step 1. Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on the domain controller (DC). (From the Start menu, select Programs, Administrative Tools, Active Directory Users and Computers.)

Step 2.In the leftmost pane, right-click the domain, and select Connect to Domain Controller.

Step 3. Select the DC you want to make the Flexible Single-Master Operation (FSMO) role owner, as the Screen shows, and click OK.

Step 4. Right-click the domain again, and select Operations Master from the context menu.

Step 5. Select the PDC tab

Step 6. You’ll see the name of the machine that holds the PDC Emulator FSMO role

Step 7. To make a change, click Change.

Step 8. Click OK in the confirmation dialog box.

Step 9. Finally, you’ll see a dialog box confirming the role change.

 

Question 5: What is multi-master replication?

Answer The replication model used in Active Directory Domain Services is called multi-master loose consistency with convergence. In this model, the directory can have many replicas, a replication system propagates changes made at any given replica to all other replicas. The replicas are not guaranteed to be consistent with each other at any particular time ("loose consistency"), because changes can be applied to any replica at any time ("multi-master")

 

Question 6 How do you move a server to a different site?

Answer Step 1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. (From the Start menu, select Programs, Administrative Tools, Active Directory Sites and Services Manager.)

Step 2. Expand the Sites container.

Step 3. Expand the site that currently contains the server, and expand the Servers container.

Step 4. Right-click the server, and select Move from the context menu, as the Screen shows.

Step 5. You’ll see a list of all the sites. Select the new target site, and click OK.

 

Question 7 How can a server belong to more than one site?

Answer By default, a server belongs to only one site. However, you might want to configure a server to belong to multiple sites.

 

Because sites are necessary for replication, for clients to find resources, and to decrease traffic on intersite connections, simply modifying a site’s membership might cause performance problems.

 

To configure a server for multiple site membership, perform the following steps.

 

Step 1 Log on to the server you want to join multiple sites.

Step 2Start regedt32.

Step 3 Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesNetlogon\Parameters registry entry.

Step 4Select Add Value from the Edit menu.

Step 5 Enter the name

SiteCoverage

and the type

REG_MULTI_SZ

Step 6 Click OK.

Step 7 Enter the names of the sites to join, each on a new line. (Press Shift + Enter to move to the next line.)

Step 8 Click OK.

Step 9 Close the registry editor.

 

This process doesn’t create the objects in Active Directory (AD) to evaluate the sites. You must add these objects manually.

 

Question 8 How do you back up Active Directory and the System State?

Answer Active Directory is backed up as part of the System State on a domain controller whenever you perform a backup using Windows Server Backup, Wbadmin.exe, or PowerShell

 

The bare minimum you need to back up to protect essential Active Directory data on a domain controller is the System State. The System State includes the following list plus some additional items depending on the roles that are installed:

 

Domain controller: Active Directory DC database files (NTDS.DIT), boot files & system protected files, COM+ class registration database, registry, system volume (SYSVOL)

Domain member: Boot files, COM+ class registration database, registry

A machine running cluster services: Additionally backs up cluster server metadata

A machine running certificate services: Additionally backs up certificate data

 

Question 9 How do you allow modifications to the schema?

Answer The schema is extensible, which means that you can change it. However, modifying the schema is dangerous because doing so affects the entire domain forest. Microsoft doesn’t recommend schema modification.

 

If you insist on modifying the schema, you can use the GUI or edit the registry. To use the GUI, you must first register the .dll file for the Microsoft Management Console (MMC) snap-in. Go to a command prompt, and enter

 

regsvr32 schmmgmt.dll

 

Use MMC to start the Schema Manager. Next, add the Active Directory Schema snap-in to the Schema Manager. (From the Start menu, select Run, and enter MMC

 

From the Console menu, select Add/Remove Snap-in. Click Add, and select Active Directory Schema. Finally, click Add, Close, OK.)

 

Step 1 Start the MMC Active Directory Schema snap-in on the domain controller (DC).

Step 2In the leftmost pane, right-click Active Directory Schema, and select Operations Master from the context menu.

Step 3 You’ll see the name of the machine that holds the domain name operations Flexible Single-Master Operation (FSMO) role, as the Screen shows.

Step 4 Select the checkbox labeled The Schema may be modified on this server.

Step 5 Click OK in the confirmation dialog box.

 

Another way to modify the schema is to edit the registry.

 

Step 1 Start regedit.

Step 2Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters registry entry.

Step 3 Double-click Schema Update Allowed (of type REG_DWORD).

Step 4 Set the value to 1.

Step 5 Click OK.

Step 6 Close the registry editor.

 

 

Question 10 What are Tombstone objects? Follow up Question – What are “Lingering objects”?

Answer

When you delete an object from the Active Directory (AD) database, it’s marked as a tombstone object instead of being fully removed. By default, each tombstone object remains in the database for 180 days. Once this tombstone’s lifetime value is exceeded, the tombstone object is automatically deleted by the garbage collection process. Administrators can change the default tombstone lifetime value by using the ADSI Edit tool.

A lingering object is a deleted AD object that re-appears (“lingers”) on the restored domain controller (DC) in its local copy of Active Directory. This can happen if, after the backup was made, the object was deleted on another DC more than than 180 days ago.

Top 100 AD Interview Questions For Interviewers | Active Directory L3 Interview Questions #TechAarya

 Top 100 AD Interview Questions For Interviewers | Active Directory L3 Interview Questions #TechAarya

1. What are the (Flexible Single Master Operation) FSMO roles in Windows 2000/3?
2. What role does a PDC emulator play in the native mode?
3. How do you change the RID Master FSMO?
4. How do you change the PDC Emulator FSMO?
5. What is multi-master replication?
6. How do you move a server to a different site?
7. How can a server belong to more than one site?
8. How do you back up Active Directory and the System State?
9. How do you allow modifications to the schema?
10. What are Tombstone objects? Follow up Q – What are “Lingering objects”?
11. When do you switch a Windows 2000/3 domain to native mode?
12. How do you force replication between two domain controllers in a site?
13. How do you change the schedule for replication between two domain controllers in a site?
14. How do you rename a site?
15. What DNS entries does Windows 2000/3 add when you create a domain?
16. How do you manually de-fragment Active Directory?
17. How do you audit Active Directory?
18. How do you enable circular logging for Active Directory?
19. What tools are available for monitoring or changing replication?
20. How does intra site replication work in Windows 2000/3?
21. How can you set the RPC port that intra site replication uses?
22. How do you remove a nonexistent domain controller?
23. How do you remove a nonexistent domain from Active Directory?
24. How do you create a new site link?
25. How do you disable site link transitivity?
26. How do you create a site link bridge?
27. How do you specify a bridgehead server?
28. How do you change my Windows 2000/3 domain’s NetBIOS name?
29. How do you monitor when the Knowledge Consistency Checker runs?
30. Why is placing the “Sysvol”directory on a separate partition a good practice?
31. When should you manually de-fragment a domain controller (DC)?
32. How can you determine whether the new Global Catalog (GC) is ready to service clients?
33. How can you check the status of the Relative Identifier (RID) pool on a domain controller (DC)?
34. What are the Relative Identifiers (RIDs) of a domain's built-in accounts?
35. Can you switch an Active Directory (AD) domain from native mode back to mixed mode?
36. How can you reset the Directory Service Restore Mode Administrator password?
37. What are the Windows Server 2003 forest modes?
38. What are the Windows Server 2003 domain modes?
39. How can you move a computer account from one domain to another?
40. What types of trust relationships does Windows Server 2003 support?
41. Explain the Group Scopes in Windows 2003 AD
42. Explain the Types of AD Groups that can created in Windows 2003 AD
43. I am trying to create a new universal user group. Why can’t I?
44. What is a Creator Owner Account in Windows?
45. What is the difference between Enterprise Admins & Domain Admins account in Active Directory?
46. What are the differences between Group Policy, Registry-based policy, and Security policy?
47. Is there a maximum number of Group Policy objects that I can store in a domain?
48. What is the maximum number of Group Policy objects a user or computer can process?
49. Can I apply a Group Policy object directly to a security group?
50. Explain GPMC & RSOP in windows 2003?
51. What is the difference between Assign and Publish Application through GPO?
52. What permissions are necessary for Group Policy to apply to a user or computer?
53. Where are group policies stored ?
54. What’s contained in administrative template conf.adm
55. Explain the Enforce and Block Inheritance features available when managing GPO precedence
56. What is the significance of SYSVOL directory in AD?
57. List out the important ports used in AD communications
58. What is a site?
59. Differentiate between Intra-site replication can be done between the domain controllers in the same site
60. What is USN with reference to Active Directory?
61. What is KCC?
62. What are the protocols used by Active Directory for replication?
63. Explain the Active Directory Partitions
64. What is the name of AD Database and what is the default location of AD Database?
65. What are FSMO roles and brief them all
66. What is a Global Catalog?
67. What is universal group membership cache in windows 2003?
68. Can I place Global Catalog and Infrastructure Master Role on the same server? Justify your answer
69. Give the names of few standard commands / tools from MS to troubleshoot AD related issues?
70. What types of trust relationships are supported in Windows 2003
71. Can we establish trust relationship between two forests?
72. What is Active Directory?
73. What is LDAP?
74. Can you connect Active Directory to other 3rd-party Directory Services? Name a few options
75. Where is the AD database held? What other folders are related to AD?
76. What is the SYSVOL folder?
77. Name the AD NCs and replication issues for each NC
78. What are application partitions? When do I use them
79. How do you create a new application partition
80. How do you view replication properties for AD partitions and DCs?
81. What is the function of Global Catalog in an AD forest?
82. How do you view all the GCs in the forest?
83. Why not make all DCs in a large forest as GCs?
84. Trying to look at the Schema, how can I do that?
85. What are the Support Tools? Why do I need them?
86. What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
87. What are AD sites? What are they used for?
88. What's the difference between a site link's schedule and interval?
89. What is the KCC?
90. What is the ISTG? Who has that role by default?
91. What are the requirements for installing AD on a new server?
92. What can you do to promote a server to DC if you're in a remote location with slow WAN link?
93. How can you forcibly remove AD from a server, and what do you do later? Can I get user passwords from the AD database?
94. What tool would I use to try to grab security related packets from the wire?
95. Name some OU design considerations
96. What is tombstone lifetime attribute?
97. What do you do to install a new Windows 2003 DC in a Windows 2000 AD?
98. What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
99. How would you find all users that have not logged on since last month?
100. What are the DS* commands?
101. What's the difference between LDIFDE and CSVDE? Usage considerations?
102. What are the FSMO roles? Who has them by default? What happens when each one fails?
103. What FSMO placement considerations do you know of?
104. I want to look at the RID allocation table for a DC. What do I do?
105. What's the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?
106. How do you configure a "stand-by operation master" for any of the roles?
107. How do you backup AD?
108. How do you restore AD?
109. How do you change the DS Restore admin password?
110. Why can't you restore a DC that was backed up 4 months ago?
111. What are GPOs?
112. Explain the loop back processing feature in Group Policy
113. What is universal group membership cache in windows 2003?
114. In one particular DC, OU got accidentally deleted by admin. In another DC, the same OU was getting updated? What will happen in this scenario? How to restore the deleted OU?
115. Can we delete an object attribute in AD? How to delete?
116. 1000 computers are there in a OU. Policy needs to be applied only for 500 computers without disturbing the setup how to apply policy?
117. Explain the domain Controller location process in Windows 2003

Restore Active Directory Object Using LDP.EXE

 Restore AD Active Directory User Account using LDAP

 

 

LDAP –

In this example I am going to delete the user account ‘Bill Bob’ and show you how I restored it:

Open LDP.exe as an administrator

Once open click Connection, click Connect, type your servers name and port. LDAP uses port 636 or 389.

Click Connection, click Bind, and type the Administrator account and password.

Click Options menu, click Controls.
On Load Predefined, select Return deleted objects.

This option will show the Deleted Objects container that is hidden by default.

Press OK

Click View, click Tree, and then select the distinguished name of the domain name.

On the left double click, select DC=plebs,DC=local.

Then expand the Deleted Objects container, and find the deleted object (Bill Bob).

Right click on the object, then click Modify.

In the Attribute box, type isDeleted. Under Operation, click Delete, and then click Enter.

Then type distinguishedName in the Attribute field, then type the original distuiguished name of the user in the Values field, CN=Bill Bob,OU=PlebUsers,DC=plebs,DC=local. You can restore to a different DN location.

Under operation, click Replace, and then click Enter.

Select the Extended check box, and then click Run.

Now you restored the object it will be in Active Directory.

If you are getting LDP errors such as –

LOperation failed. Error code: 0x57
DAP: error code 12 – Unavailable Critical Extension

Go back into Options and Controls, double click on one of the Active Controls and check it in. Whilst also making sure Load Predefined is set to ‘Returned deleted objects’ then try again. I have experienced random errors at times when there are more than one active control, that took a little playing around in the Controls area to resolve.

Otherwise if no errors appear – check AD and see if the user is now back in it’s original OU.

However the results aren’t perfect, the account will be stripped of all attributes. The account will need a password and to be re-enabled.

However, NTFS and share permissions will still be intact.

Hope this is helpful!