Active Directory interview questions and answers: discussed are topics such as DNS-based naming, LDAP directory services, information security, Kerberos-based authentication, and more. A comprehensive list of frequently asked interview questions and answers related to Microsoft’s Active Directory is provided. The topics covered include basic to more advanced topics:
- Active Directory is a set of devices on a network with a common name and database as part of the hierarchy in Active Directory.
- The term forest describes the topmost logical container in an Active Directory configuration, containing domains, users, computers, and group policies, all sharing a single schema.
- An AD schema is an Active Directory component that defines every object class and its attributes that can be created in a forest or database.
- SYSVOL is a folder storing the domain’s public files replicated to all domain controllers.
- LDAP is the default protocol used in directory services, and its port number is 389.
- Windows Server 2012 has improved FGPP, the Active Directory Recycle Bin, Enhanced File Classification Infrastructure, PowerShell History Viewer, and better site topology and replication management.
- Stale user accounts in Active Directory are inactive accounts that occupy space in the directory database and are a security risk.
- Enterprise Admin group has full control of the forest while Domain Admin group has full control in the domain.
- The goal of Active Directory replication is to ensure the consistency and synchronization of information shared between domain controllers.
- Kerberos is an authentication protocol with port number 88 used for secure authentication in the network.
- The two main components of Active Directory are physical (domain controller and sites) and logical (trees, forest, domains, and OU).
Hi everyone – In this video, I’m going to show you the top 50 Active Directory interview questions and answers. My name is Lauren and this channel is all about showing you how to become a highly paid IT pro fast. Let’s get started!
If you are preparing for a system administrator job interview or any similar role, you will need to have a well-rounded knowledge of Active Directory. We have compiled a list of the top 50 most asked Active Directory interview questions and answers, covering topics such as DNS-based naming, LDAP directory services, information security, Kerberos-based authentication, and more.
1) What is a domain in Active Directory?
A domain is a set of devices on a network with a common name and database as part of the hierarchy in Active Directory. The domain servers act as a central location for administrative work and security policies. In each domain, an administrator manages all objects under it, and the security system is responsible for granting access to users who have authentic login details.
2) What is a forest in Active Directory?
A forest is a term used to describe the topmost logical container in an Active Directory configuration. The forest contains domains, users, computers, and group policies. All domains in a forest share a single schema.
3) What is an Active Directory schema?
An AD schema is an Active Directory component that defines every object class that can be created in an Active Directory forest or database and the attributes of those objects.
4) What is SYSVOL?
SYSVOL is a folder that stores the server’s copy of the domain’s public files. The writings in the SYSVOL folders are replicated to all domain controllers in the domain.
5) What default protocol can be used in directory services?
The default protocol used in directory services is the Lightweight Directory Access Protocol (LDAP).
6) What are mixed mode and native mode?
The default domain mode setting on Windows 2000 domain controllers is mixed mode. This mode does not support the universal and nested group enhancements of Windows 2000. In mixed mode, both Windows NT and 2000 Backup Domain Controllers can co-exist in a domain. When all DC’s (domain controllers) in a domain have upgraded to Windows 2000 Server, the administrator can enable the native mode operation.
7) How does one check if the client is running native or mixed mode?
Click Start, Programs, Admin Tools, Active Directory Users and Computers. Under Domain Properties, in Domain Operation Mode, the domain information will be listed as “filer cifs domain info.”
8) What is the port number of LDAP?
The LDAP port number is 389.
9) What are the new features of Active Directory in Windows Server 2012?
Improved FGPP in Windows Server 2012, it is much simpler to implement a fine-grained password policy compared to the earlier versions. The new FGPP in Windows Server 2012 allows administrators to have several password policies in the same domain.
Active Directory Recycle Bin gets a GUI in Windows Server 2012. The Active Directory Recycle Bin optional feature can be enabled to restore deleted objects from the graphical user interface (GUI). You can perform these actions by using the Active Directory Administrative Center (ADAC).
Enhanced File Classification Infrastructure (FCI) in DAC. Windows 2012’s version of Dynamic Access Control (DAC) adds better functionality to the second layer of FCI resource authorization.
Windows PowerShell History Viewer.
You can now see the PowerShell commands that correspond to the actions you perform in the Active Directory Administrative Center UI.
Active Directories site topology and replication: now administrators can manage site topology and replication with Windows PowerShell using a variety of tools.
10) What is stale in Active Directory?
These are user accounts that have been inactive for a period. Stale user accounts occupy space in the directory database and are a significant security risk.
11) What are the differences between Domain Admin and Enterprise Admin in AD?
The Enterprise Admin group belongs to the Administrators group on all domain controllers in the forest. The Domain Admin group belongs to the Administrators group on all domain controllers, workstations, and member servers. Enterprise Admin groups have full control of the forest, while Domain Admin groups have full control in the domain.
12) What is the goal of replication in AD?
Active Directory replication ensures that data shared between domain controllers is up-to-date and that information hosted by domain controllers is consistent and synchronized between all domain controllers.
13) What is Kerberos?
Kerberos is an authentication protocol used for the network. By using secret key cryptography, Kerberos provides secure authentication for client applications.
14) What is the port number of Kerberos?
The port number of Kerberos is 88.
15) What are the main components of Active Directory?
There are two main components of Active Directory: the physical, which contains the domain controller and sites, and the logical structure, which contains the trees, forest, domains, and OU.
16) What are lingering objects?
Lingering objects are deleted objects that reappear or linger on the restored DC (domain controller) in their local copy of Active Directory when a DC does not replicate for a period that is longer than the tombstone lifetime (TSL). Lingering objects can occur.
17) What is a SID?
The SID (Security Identifier) is a unique, variable-length identifier used to control access to resources. It is also used by internal processes to recognize a trustee or security principle. Since each security identifier is unique, there is no way to gain access to restricted resources when the system is configured by the administrator unless security is breached.
18) What is a subnet?
A subnetwork is a segment of the network’s computers and devices that have a specific IP address routing prefix. DC’s and clients use the subnets you define to determine what site they are in. Subnetwork IP ranges are associated with specific AD sites.
19) What is the Active Directory Recycle Bin?
The Active Directory Recycle Bin started in Windows Server 2008 R2 and it helps to recover deleted Active Directory objects along with their attributes without using a backed up AD database and rebooting the domain controller. The AD Recycle Bin allows uninterrupted functioning of services while restoration is occurring.
20) What is the infrastructure master?
The infrastructure master updates information from objects in the local domain to objects in other domains. Only one infrastructure master DC exists in each domain.
21) What is a PDC emulator?
The primary domain controller (PDC) emulator is responsible for responding to authentication requests, changing passwords, and managing group policy objects. Each domain has one PDC emulator. The DC with the PDC emulator role is the authoritative DC in the domain. It controls the time sync across the domain, hence it tells what time it is.
22) How would you know whether the PDC emulator is working or not?
You can conclude the PDC emulator is not working when Windows NT VDCs are not getting updates, time is not syncing, pre-Windows 2000 clients are unable to change their passwords, and users’ accounts are unable to log on.
23) What is LSDOU?
There are four different levels of hierarchy for group policy processing, and they are called Local, Site, Domain, and OU (LSDOU). LSDOU is a group policy inheritance model where the policies are applied to local machines, sites, domains, and organizational units.
24) What is DNS scavenging?
DNS scavenging is a Microsoft feature that enables the cleanup and removal of old, unused records in DNS. This process prevents environments using DHCP (Dynamic Host Configuration Protocol) from detecting duplicate devices as a result of multiple DNS entries.
25) What are the hidden shares that exist on a Windows Server installation?
Admin$, Drive$, IPC$, Netlogon$, Print$, and Sysvol$.
26) Why is Netlogon necessary?
Netlogon handles login requests from the network and maintains a secure channel between the computer and the domain controller for authenticating users and services. Without the Netlogon service, you will be prevented from running a network computer as the computer cannot operate on the network.
27) What is Tombstone Lifetime?
Tombstone lifetime determines the amount of time a deleted object, such as a user, remains in the directory. When the “is deleted” attribute of the deleted object is set to true, it is moved to a special container known as the tombstone. When the object is older than the tombstone lifetime, which is 60 days by default, it will be deleted by the garbage collection process.
28) What is RID master?
RID master stands for Relative Identifier, and it’s used for assigning unique IDs to the objects created in AD. They are also used to move objects between domains.
29) What are the number of permitted unsuccessful logons on administrator accounts?
This is unlimited.
30) What does GPT and GPC stand for?
GPT stands for Group Policy Template. GPC stands for Group Policy Container.
31) Where is GPT stored?
System root, Sysvol, Sysfall, Domain Name Policies, GUID.
32) Define KCC (Knowledge Consistency Checker).
KCC is a built-in process used to generate replication topology for the Active Directory forest. KCC runs on all domain controllers and creates separate replication topologies for both intrasite replication and intersite replication.
33) Explain the term Garbage Collection in AD.
Garbage Collection is an online defragmentation process designed to free space within the Active Directory database. Garbage Collection occurs every 12 hours.
34) What can prevent you from creating a new Universal User Group in AD?
Active Directory only allows Universal Groups in native mode Windows Server 2003 environments. Hence, as a requirement, all domain controllers must be promoted to Windows Server 2003 Active Directory.
35) LSDOU will not work under Windows NT. Why?
If the file ntconfig.pol exists, it will be the most prioritized file among the numerous policies.
36) What is the difference between intrasite and intersite replication?
Intrasite replication occurs within the same site, while intersite replication happens between two sites.
37) What is RepAdmin?
RepAdmin is a diagnostic tool that assists administrators in checking replication problems and diagnosing the health of Windows domain controllers. RepAdmin can be used as a tool to force replication and identify errors.
38) List the requirements for installing AD on a new server.
The domain structure, the domain name, storage location of the database and log file, location of the shared system volume folder, DNS config method, and DNS configuration.
39) What is Replemon?
Replemon is a GUI tool that administrators make use of when troubleshooting Active Directory replication issues. As it is a graphical tool, it enables administrators to view the low-level status of Active Directory replication, prompt synchronization between two domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication.
40) How do you take backup of AD?
To backup Active Directory, these steps need to be taken: go to Start > Programs > Accessories > System Tools > Backup or open the Run window and type “ntbackup.” Take a system state backup when the backup screen flashes. Proceed to take the backup of system state, and it will take a backup of all the necessary information about the system, including AD, Backup DNS, etc.
41) What is Netdumb?
Netdumb is an inbuilt command-line tool that exists in Windows Server 2008 and Windows Server 2008 R2. It allows for the management of Windows domains and trust relationships. To use Netdumb, the Netdumb command must be run from an elevated command prompt.
42) Explain where the AD database is held and mention other folders that are related to AD.
The AD database is saved in the system root (NTDS). In this folder, you can also find the main files controlling the AD structures, including: EDB.log, RES1.log, NTDS.dit, EDB.chk, and RES2.log.
43) Explain the terms authoritative restore and non-authoritative restore and how they can be used.
A non-authoritative restore method will restore Active Directory to the server in which the restore is being done. Then, it will receive all the recent updates from replication partners in the domain. This is the default method for restoring Active Directory. An authoritative restore prompts the restore domain controller to replicate its Active Directory information to all other domain controllers.
44) Explain what a bridgehead server is in AD.
A bridgehead server is a DC (Domain Controller) that exists in each site. It serves as the primary route for Active Directory replication data that is moving into and out of sites. In the event of inter-site replication, KCC designates one of the domain controllers as a bridgehead server.
45) What does system state data contain?
Some of the things that can be found in the system state data are: startup files, registration database, registry system files, memory page file, AD information, cluster service information, and sysvol folder.
46) How many schema versions are there in Active Directory?
There have been four versions of the default Active Directory schema:
Schema version 13 (Windows 2000 release)
Schema version 30 (Windows Server 2003 release)
Schema version 31 (Windows Server 2003 R2 release)
Schema version 44 (Windows Server 2008 release)
47) What is the full meaning of API PA and why is it used?
APIPA is an abbreviation of Automatic Private IP Addressing. It is a feature in Windows which allows computers to automatically self-configure an IP address and subnet mask when their DHCP server is unreachable.
48) What is ADSIEdit?
ADSIedit is an LDAP editor used to manage AD objects and perform common administrative tasks. This graphical user interface can be used to carry out tasks such as adding, deleting, and moving objects within a directory service.
49) What are two different types of Terminal Services?
Application mode and User mode.
50) What is the default size of NTDs.dit?
The default size of NTDs.dit is approximately 400 megabytes per 1000 users.
Check out the video on the right for more content to help you develop your IT career.
The text above was derived (in part or whole) from the video transcript and formatted for your reading enjoyment.
We do not claim the text to be an accurate representation of the video. You are encouraged to watch and listen to the video for a complete and accurate representation.
Video url: https://www.youtube.com/watch?v=mf924Bsidig
Channel url: https://www.youtube.com/@SkillsBuildTraining
Channel name: SkillsBuild Training
Other posts you might like: