Active Directory Interview Questions and Answers

45+ TOP Active Directory Interview Questions

Active Directory Interview Questions
Active Directory Interview Questions

1. Define what is Active Directory?
Active Directory is a Meta Data. Active Directory is a database which stores a database like your user information, computer information and also other network object info. It has capabilities to manage and administer the complete Network which connects with AD.

2. Define what is Active Directory Domain Services?
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to AD DS, but the information is also applicable to Active Directory.

3. Define what is domain?
A domain is a set of network resources (applications, printers, and so forth) for a group of users. The user needs only to log in to the domain to gain access to the resources, which may be located on a number of different servers in the network. The ‘domain’ is simply your computer address not to confused with an URL. A domain address might look something like 211.170.469.

4. Define what is a domain controller?
A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

5. Define what is LDAP?
Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory supports LDAPv3 and LDAPv2.

6. Define what is KCC?
KCC ( knowledge consistency checker ) – It generates the replication topology by specifying Define what domain controllers will replicate to which other domain controllers in the site. The KCC maintains a list of connections, called a replication topology, to other domain controllers in the site. The KCC ensures that changes to any object are replicated to all site domain controllers and updates go through no more than three connections. Also, an administrator can configure connection objects.

7. Where is the AD database held? Define what other folders are related to AD?
By default AD database is stored in c:windowsntdsNTDS.DIT. SYSVOL & NETLOGON are other folders related to AD DS.

8. Define what is the SYSVOL folder?
System Volume (Sysvol) is a shared directory that stores the server copy of the domain’s public files that must be shared for common access and replication throughout a domain. The term SYSVOL refers to a set of files and folders that reside on the local hard disk of each domain controller in a domain and that are replicated by the File Replication service (FRS). Network clients access the contents of the SYSVOL tree by using the NETLOGON and SYSVOL shared folders. Sysvol uses junction points-a physical location on a hard disk that points to data that is located elsewhere on your disk or other storage devices to manage a single instance store.

9. Define what is the Netlogon folder in AD DS and Define what is it used for?
The NETLOGON share is pointing to the %SystemRoot%sysvolsysvol{DOMAIN}scripts folder on DC, and its main purpose is for storing login scripts.

By default %SystemRoot%sysvolsysvol{DOMAIN}scripts is empty. When we have deployed any script via GPO that is the default location for storing the script.

By default sysvol includes 2 folders, the scripts folder is shared with the name NETLOGON

Policies – (Default location – %SystemRoot%SysvolSysvoldomain_namePolicies)
Scripts – (Default location – %SystemRoot%SysvolSysvoldomain_nameScripts)

10. Difference between Enterprise Admins and Domain Admins groups in AD?
Enterprise Admins :

Members of this group have full control of all domains in the forest.
By default, this group is a member of the Administrators group on all domain controllers in the forest.
By default, the Administrator account is a member of this group.
Because this group has full control of the forest, add users with caution.

Domain Admins :

Members of this group have full control of the domain.
By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain.
By default, the Administrator account is a member of this group.
Because the group has full control in the domain, add users with caution.

11. Where are the Windows NT Primary Domain Controller (PDC) and its Backup Domain Controller (BDC) in Server 2003?
The Active Directory replaces them. Now all domain controllers share a multimaster peer-to-peer read and write a relationship that hosts copies of the Active Directory.

12. I am trying to create a new universal user group. Why can’t I?
Universal groups are allowed only in native-mode Windows Server 2003 environments. The native mode requires that all domain controllers be promoted to Windows Server 2003 Active Directory.

13. Define what is LSDOU?
It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.

14. Why doesn’t LSDOU work under Windows NT?
If the NTConfig.pol file exist, it has the highest priority among the numerous policies.

15. Define what’s the number of permitted unsuccessful logons on an Administrator account?

Unlimited. Remember, though, that it’s the Administrator account, not an account that’s part of the Administrators group.

16. Define what’s the difference between guest accounts in Server 2003 and other editions?
More restrictive in Windows Server 2003.

17. How many passwords by default are remembered when you check “Enforce Password History Remembered”?
User’s last 6 passwords.

18. Can GC Server and Infrastructure place in single server If not explain why?
As a general rule, the infrastructure master should be located on a nonglobal catalog domain controller that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold.

But there are exceptions to this “general rule”. Two exceptions to the “do not place the infrastructure master on a global catalog server” rule are:
Single domain forest:
In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.

The multidomain forest where every domain controller in a domain holds the global catalog:
If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.

19. Define what Intrasite and Intersite Replication?
Intrasite is the replication within the same site & intersite the replication between sites.

20. Define what is lost & found the folder in ADS?
It’s the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication happed ADS didn’t find the OU then it will put that in Lost & Found Folder.

21. Define what is Garbage collection?
Garbage collection is a housekeeping process that is designed to free space within the Active Directory database. In Windows 2000 and in the original release version of Windows Server 2003, this process runs on every domain controller in the enterprise with a default lifetime interval of 12 hours. You can change this interval by modifying the garbageCollPeriod attribute in the enterprise-wide DS configuration object (NTDS).

22. Define what System State data contains?

Contains Startup files,
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information

23. Define what is the Recommended Maximum Number of Domains in a Forest?
For Windows 2000 Server, the recommended maximum number of domains in a forest is 800. For Windows Server 2003, the recommended maximum number of domains when the forest functional level is set to Windows Server 2003 (also known as forest functional level 2) is 1,200. This restriction is a limitation of multivalued, nonlinked attributes in Windows Server 2003.

24. Define what is the Recommended Maximum Number of Domain Controllers in a Domain?
To ensure reliable recovery of SYSVOL, we recommend a limit of 1200 domain controllers per domain.

25. Active Directory Replication Topology Options
The Active Directory replication topologies typically utilized are:

Ring Topology: With intrasite replication, the KCC creates a ring topology that defines the replication paths within a site. In a ring topology, each domain controller in a site has two inbound and outbound, replication partners. The KCC creates the ring so that there is no greater than three hops between domain controllers in a site.
Full Mesh Topology: This topology is typically utilized in small organizations where redundancy is extremely important and the number of sites is quite small. A full mesh topology is quite expensive to manage and is not scalable.
Hub And Spoke Topology: This topology is typically implemented in large organizations where scalability is important and redundancy is less important. In this topology, one or multiple hub sites exist that have slower WAN connections to multiple spoke sites. The hub sites are usually connected to each other through high-speed WAN connections.
Hybrid Topology: The hybrid topology is a combination of any of the above topologies.

26. Define what is SPN?
A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. services.

27. Define what is AD Certificate Services?
Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.

28. Define what is Active Directory Federation Services?
Active Directory Federation Services (AD FS) simplifies access to systems and applications using a claims-based access (CBA) authorization mechanism to maintain application security. AD FS supports Web single-sign-on (SSO) technologies that help information technology (IT) organizations collaborate across organizational boundaries.

AD FS 2.0 is a downloadable Windows Server 2008 update that is the successor to AD FS 1.0, which was first delivered in Windows Server 2003 R2, and AD FS 1.1, which was made available as a server role in Windows Server 2008 and Windows Server 2008 R2. Previous versions of AD FS are referred to collectively as AD FS 1.x.

29. Define what is the Active Directory Management Gateway Service?
Windows Server 2008 R2 introduces a web service interface for application accessibility to Active Directory (AD), and the Windows Server 2008 R2 AD PowerShell cmdlets use this service.

ADMGS provides this web service interface for Windows Server 2003 SP2 and Windows Server 2008 domain controllers (DCs). The service lets Server 2008 R2 AD PowerShell cmdlets and other applications work against the DCs with ADMGS installed.

30. Define what is Offline Domain Join?
Windows Server 2008 R2 domain controllers include a new feature named Offline Domain Join. A new utility named Djoin.exe lets you join a computer to a domain, without contacting a domain controller while completing the domain join operation, by obtaining a blob from a Windows Server 2008 R2 domain controller at an earlier point in time. The computer is domain-joined when it first starts, so no restart is needed as with a normal domain join.

31. Define what is the AD Administrative Center?
Active Directory Administrative Center provides network administrators with an enhanced Active Directory data management experience and a rich graphical user interface (GUI). Administrators can use Active Directory Administrative Center to perform common Active Directory object management tasks (such as user, computer, group, and organization units management) through both data-driven and task-oriented navigation.

Administrators can use the enhanced Active Directory Administrative Center GUI to customize the Active Directory Administrative Center to suit their particular directory service administering requirements.

32. Define what is AD DS Best Practices Analyzer?
Active Directory Domain Services (AD DS) Best Practices Analyzer (BPA) is a server management tool that can help you implement best practices in the configuration of your Active Directory environment. AD DS BPA scans the AD DS server role as it is installed on your Windows Server 2008 R2 domain controllers, and it reports best practice violations.

You can filter or exclude results from AD DS BPA reports that you do not need to see. You can also perform AD DS BPA tasks by using either the Server Manager graphical user interface (GUI) or cmdlets in the Windows PowerShell command-line interface.

33. Define what is the Recommended Maximum Number of Users in a Group?
For Windows 2000 Active Directory environments, the recommended maximum number of members in a group is 5,000. This recommendation is based on the number of concurrent atomic changes that can be committed in a single database transaction.

Starting with Windows Server 2003, the ability to replicate discrete changes to linked multivalued properties was introduced as a technology called Linked Value Replication (LVR). To enable LVR, you must increase the forest functional level to at least Windows Server 2003 interim. Increasing the forest functional level changes the way that group membership (and other linked multivalued attributes) is stored in the database and replicated between domain controllers. This allows the number of group memberships to exceed the formerly recommended limit of 5,000 for Windows 2000 or Windows Server 2003 at a forest functional level of Windows 2000.

So far, testing in this area has yet to reveal any new recommended limits to the number of members in a group or any other linked multivalued attribute. Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members.

34. What system state data contains?

Contains startup files
Com + Registration Database
Memory page file
System files
AD information
Cluster service information

35. Define what is Kerberos?
Kerberos is an authentication protocol for the network. It is built to offer strong authentication for server/client applications by using secret-key cryptography.

36. Where does the AD database is held? Define what other folders are related to AD?
AD database is saved in %systemroot%/ntds. In the same folder, you can also see other files; these are the main files controlling the AD structures they are

res 1.log

37. Define what is PDC emulator and how would one know whether PDC emulator is working or not?
PDC Emulators: There is one PDC emulator per domain, and when there is a failed authentication attempt, it is forwarded to PDC emulator. It acts as a “tie-breaker” and it controls the time sync across the domain.

These are the parameters through which we can know whether PDC emulator is working or not.

Time is not syncing
User’s accounts are not locked out
Windows NT BDCs are not getting updates
If pre-windows 2000 computers are unable to change their passwords

38. Define what are lingering objects?
Lingering objects can exist if a domain controller does not replicate for an interval of time that is longer than the tombstone lifetime (TSL).

39. Define what is TOMBSTONE lifetime?
Tombstone lifetime in an Active Directory determines how long a deleted object is retained in Active Directory. The deleted objects in Active Directory is stored in a special object referred to as TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is not set in the forest configuration.

40. Define what is Active Directory Schema?
A schema is an active directory component describes all the attributes and objects that the directory service uses to store data.

41. Define what is a child DC?
CDC or child DC is a subdomain controller under root domain controller which share a namespace

42. Define what is RID Master?
The RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.

43. Define what are the components of AD?
Components of AD includes

Logical Structure: Trees, Forest, Domains, and OU
Physical Structures: Domain controller and Sites

44. Define what is Infrastructure Master?
Infrastructure Master is accountable for updating information about the user and group and global catalog.

45. How many types of replication in Active Directory?
Active Directory Intrasite Replication

Intrasite replication in Active Directory takes place between domain controllers within the same site. This makes intrasite replication an uncomplicated process. When changes are made to the replica of Active Directory on one particular domain controller, the domain controller contacts the remainder of the domain controllers within the site. The domain controller checks the information it contains against information hosted by the other domain controllers. To perform this analysis, the domain controller utilizes logical sequence numbers. Intrasite replication utilizes the Remote Procedure Call (RPC) protocol to convey replication data over fast, reliable network connections. With intrasite replication, replication data is not compressed.

Active Directory Intersite Replication

Intersite replication takes place between sites. Intersite replication can utilize either RPC over IP or SMTP to convey replication data. This type of replication has to be manually configured. Intersite replication occurs between two domain controllers that are called bridgeheads or bridgehead servers. The role of a bridgehead server (BS) is assigned to at least one domain controller in a site. A BS in one site deals with replicating changes with other BSs in different sites. You can configure multiple bridgehead servers in a site. It is only these BSs that replicate data with domain controllers in different domains by performing intersite replication with its BS partners. With intersite replication, packets are compressed to save bandwidth. This places additional CPU load on domain controllers assigned the BS role. BSs should, therefore, be machines that have enough speed and processors to perform replication. Intersite replication takes place over site links by a polling method which is every 180 minutes by default.

Frequently Asked Active Directory Interview Questions