Top 35 Active Directory Interview Questions and Answers

Active Directory (AD) is a powerful directory service designed by Microsoft for Windows domain networks. It stores various information about network resources, such as users, computers and services. It enables Administrators to manage security policies, authentication and access controls centrally. 

Active Directory offers several advantages, including:  

a) Centralised user and Resource Management. 

b) Improved security through authentication and authorisation mechanisms. 

c) scalability for large environments. 

d) Group policies for Configuration Management. 

e) Seamless Single Sign-on (SSO) across network resources. 

Kerberos is a network authentication protocol employed in Active Directory for secure authentication between clients and services. It uses ticket-granting mechanisms to prevent credential exposure and supports mutual authentication. It ensures that both users and servers verify each other's identities. 

A subnet is a segment of an IP network that helps manage network traffic efficiently. In Active Directory, subnets are associated with sites to optimise authentication and replication traffic by directing clients to the nearest domain controller. 

The physical structure of Active Directory consists of the following: 

a) Domain Controllers (DCs): DCs store and replicate directory data 

b) Sites: These represent network locations for replication efficiency 

c) Replication Links: These links control how data is synchronised between sites. 

The Active Directory database (NTDS.dit) is stored in the %SystemRoot%NTDS folder on a domain controller. 

Active Directory contains various containers, including:  

a) Organisational Units (OUs): OUs help organise objects within a domain.  

b) Built-in Containers: These hold default objects. 

c) Application Partitions: These store application-specific Data 

DNS is important for Active Directory as it resolves domain names to IP addresses and supports domain controller location services. AD uses SRV (Service) records in DNS to help clients find domain controllers for the purpose of authentication and other directory services. 

Join our Fundamentals of Active Directory 55152A Course and gain hands-on expertise in managing users, security, and domains effectively. 

Replication ensures that the directory changes made on one domain controller are propagated to others. There are two kinds of replication: 

a) Intrasite replication which occurs within the same site for fast synchronisation. 

b) Intersite replication which occurs between different sites over optimised schedules. 

Factors that influence Active Directory domain services include: 

a) Network topology 

b) Replication latency 

c) Domain controller availability 

d) Site link configurations 

e) Group Policy settings  

Proper design helps with efficient authentication, replication, and access control. 

A domain is a logical grouping of AD objects that share a common directory database. A forest refers to a collection of one or more domains which share a common schema and global catalogue. This allows trust relationships between domains. 

The Relative Identifier (RID) Master assigns unique RIDs to domain controllers for object creation. This ensures that no duplicate security identifiers (SIDs) exist within a domain. 

SYSVOL is a shared directory on domain controllers that stores Group Policy Objects (GPOs), scripts, and login policies. These are replicated across all domain controllers via the File Replication Service (FRS) or Distributed File System Replication (DFSR). 

A forest is the highest hierarchical structure in Active Directory. It contains multiple domains that share a common schema, global catalogue and trust relationships. 

Lingering objects are stale directory objects that remain on domain controllers which were offline beyond the tombstone lifetime. These objects prevent proper replication. 

The AD Schema defines the structure of directory objects, including attributes and classes. It ensures consistency across the directory. 

Key components include the following: 

a) Domains 

b) Trees 

c) Forests 

d) Organisational Units (OUs) 

e) Global catalogue 

f) Schema 

g) Domain controllers 

h) Group policies 

Become an expert in business process automation – register for our Microsoft BizTalk Training now! 

The AD Recycle Bin allows restoration of deleted objects without data loss. It helps in maintaining attributes like group memberships. 

Replication ensures data consistency across domain controllers. This helps in preventing authentication issues and outdated object records. 

The Global Catalogue (GC) is a read-only subset of directory information. It’s used for searching across multiple domains quickly. 

A Domain Controller is a server that performs the following tasks: 

a) Authenticating users 

b) Enforcing security policies 

c) Managing directory data 

FSMO roles ensure smooth AD operations and include the following:  

a) Schema Master 

b) Domain Naming Master 

c) RID Master 

d) PDC Emulator 

e) Infrastructure Master 

To determine which server holds FSMO roles, the following methods can be used: 

a) Command Prompt: Run netdom query fsmo to list all FSMO role holders. 

b) PowerShell: Use Get-ADForest for forest-wide roles (Schema Master & Domain Naming Master) and Get-ADDomain for domain-wide roles. 

c) GUI Method: Use Active Directory Users and Computers (ADUC), Active Directory Domains and Trusts, or Active Directory Schema snap-ins. 

FSMO roles can be transferred using: 

a) GUI Method: Use Active Directory snap-ins: 

i) RID Master, PDC Emulator, Infrastructure Master: ADUC (dsa.msc) 

ii) Domain Naming Master: AD Domains and Trusts (domain.msc) 

iii) Schema Master: AD Schema (regsvr32 schmmgmt.dll to enable).  

b) Command Line Method: Open ntdsutil > roles > connections > connect to server [targetDC] > transfer [FSMO role].

c) PowerShell: Run Move-ADDirectoryServerOperationMasterRole -Identity [NewDC] -OperationMasterRole [RoleName]. 

Deleted objects can be restored using: 

a) Active Directory Recycle Bin: If enabled, use Active Directory Administrative Center (ADAC) or PowerShell (Restore-ADObject). 

b) Authoritative Restore: Use ntdsutil to restore objects from backup, marking them authoritative for replication. 

c) Tombstone Reanimation: Partially restores deleted objects but without group memberships 

The Tombstone period refers to the duration during which deleted objects remain in a soft-deleted state before permanent removal. In Windows Server 2008 and later, the default Tombstone period is 180 days. It allows recovery of objects before they are purged from AD. 

The Schema Master FSMO role is responsible for managing and updating the Active Directory Schema. Only the server holding this role can make schema modifications and ensures consistency across the forest. 

The PDC Emulator FSMO role involves: 

a) Handling password changes and forwarding them to other DCs. 

b) Acting as the authoritative time source for time synchronisation. 

c) Managing legacy NT4 authentication and processing account lockouts. 

d) Prioritising Group Policy updates for immediate processing. 

This role updates cross-domain references in a multi-domain environment. It ensures that changes to user and group objects in one domain are correctly reflected in the other domains. However, this role is not needed if all domain controllers are Global Catalogues. 

Administrative control in AD is delegated using the following: 

a) Organisational Units (OUs): Assigning specific administrative permissions to users or groups. 

b) Delegation of Control Wizard: Used in ADUC to grant permissions for managing specific objects. 

c) Group Policies: Assign administrative privileges through GPOs. 

d) Role-based Access Control (RBAC): Implementing security groups to enforce least privilege access. 

Group Policy Management Console (GPMC) is a tool for managing Group Policies across multiple domains, allowing Administrators to create, edit, and link GPOs. Resultant Set of Policy (RSOP) is a diagnostic tool that evaluates and displays the effective Group Policy settings applied to a computer or user. It can be accessed via rsop.msc. 

Sign up for our Fundamentals of a Windows Server Infrastructure M10967 Course and develop essential skills to maintain Windows-based networks. 

To create an application directory partition, the ntdsutil command can be used: 

I count the number of objects in Active Directory using the following: 

a) Powershell: 

b) Command Line: