50+ Active Directory Interview questions with answers
1. What is Active Directory?
Active Directory is Microsoft’s directory service for Windows networks, centralizing user and resource management. It uses a hierarchical structure with domains, forests, and organizational units for organization. Domain controllers authenticate users and store AD data, ensuring secure access and permissions. Group policies enforce consistent settings, and replication keeps data synchronized across domain controllers for reliability. Overall, Active Directory is integral for streamlined administration and security in Windows environments.
2. What is Global Catalog and its function?
The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and are distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.
The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest.
- Forest-wide searches. The global catalog provides a resource for searching an AD DS forest. Forest-wide searches are identified by the LDAP port that they use. If the search query uses port 3268, the query is sent to a global catalog server.
- User logon. In a forest that has more than one domain, two conditions require the global catalog during user authentication: Universal Group Membership Caching: In a forest that has more than one domain, in sites that have domain users but no global catalog server, Universal Group Membership Caching can be used to enable caching of logon credentials so that the global catalog does not have to be contacted for subsequent user logons. This feature eliminates the need to retrieve universal group memberships across a WAN link from a global catalog server in a different site.
- In a domain that operates at the Windows 2000 native domain functional level or higher, domain controllers must request universal group membership enumeration from a global catalog server.
- When a user principal name (UPN) is used at logon and the forest has more than one domain, a global catalog server is required to resolve the name.
- Exchange Address Book lookups. Servers running Microsoft Exchange Server rely on access to the global catalog for address information. Users use global catalog servers to access the global address list (GAL).
3. What are the components of Logical AD?
The logical parts of Active Directory include forests, trees, domains, OUs and global catalogs.
Domain –It is still a logical group of users and computers that share the characteristics of centralized security and administration. A domain is still a boundary for security – this means that an administrator of a domain is an administrator for only that domain, and no others, by default.
Tree – a tree is a collection of Active Directory domains that share a contiguous namespace.
Forest – a forest is the largest unit in Active Directory and is a collection of trees that share a common Schema. In a forest all trees are connected by transitive two-way trust relationships, thus allowing users in any tree access to resources in another for which they have been given appropriate permissions and rights. By default, the first domain created in a forest is referred to as the root domain.
4. What are the different Partitions in AD and explain all?
The Active Directory database is logically separated into directory partitions:
- Schema partition
- Configuration partition
- Domain partition
- Application partition
Each partition is a unit of replication, and each partition has its own replication topology. Replication occurs between replicas of directory partition. Minimum two directory partitions are common among all domain controllers in the same forest: the schema and configuration partitions. All domain controllers which are in the same domain, in addition, share a common domain partition.
Only one schema partition exists per forest. The schema partition is stored on all domain controllers in a forest. The schema partition contains definitions of all objects and attributes that you can create in the directory and the rules for creating and manipulating them. Schema information is replicated to all domain controllers in the attribute definitions.
There is only one configuration partition per forest. Second on all domain controllers in a forest, the configuration partition contains information about the forest-wide active directory structure including what domains and sites exist, which domain controllers exist in each forest, and which services are available. Configuration information is replicated to all domain controllers in a forest.
Many domain partitions can exist per forest. Domain partitions are stored on each domain controller in a given domain. A domain partition contains information about users, groups, computers, and organizational units. The domain partition is replicated to all domain controllers of that domain. All objects in every domain partition in a forest are stored in the global catalog with only a subset of their attribute values.
Application partitions store information about applications in Active Directory. Each application determines how it stores, categorizes, and uses application-specific information. To prevent unnecessary replication to specific application partitions, you can designate which domain controllers in a forest host specific application partitions. Unlike domain partitions, an application partition cannot store security principal objects, such as user accounts. In addition, the data in an application partition is not stored in the global catalog.
As an example of application partition, if you use a Domain Name System (DNS) that is integrated with Active Directory you have two application partitions for DNS zones — ForestDNSZones and DomainDNSZones:
- ForestDNSZones is part of a forest. All domain controllers and DNS servers in a forest receive a replica of this partition. A forest-wide application partition stores the forest zone data.
- DomainDNSZones is unique for each domain. All domain controllers that are DNS servers in that domain receive a replica of this partition. The application partitions store the domain DNS zone in the DomainDNSZones<domain name>.
Each domain has a DomainDNSZones partition, but there is only one ForestDNSZones partition. No DNS data is replicated to the global catalog server.
5. What is a Domain Controller?
A Domain Controller (DC) is a server in Active Directory that authenticates users, enforces security policies, and manages access to network resources.
6. What are FSMO Roles?
Flexible Single Master Operations (FSMO) roles are specialized roles that manage specific tasks like schema modifications, domain naming operations, and more within an Active Directory forest.
Check this article to learn more about FSMO in detail https://www.yourcomputer.in/fsmo-roles/
7. How to find which server holds which role?
Netdom query FSMO
8. How to Transfer FSMO Roles?
Through Powershell run below Command
Move-ADDirectoryServerOperationMasterRole -Identity “DC1” -OperationMasterRole 0,1,2,3,4
Through GUI, please check this article https://www.yourcomputer.in/upgrade-active-directory-2012-to-2022/#gui-to-transfer-fsmo-roles
9. How we can diagnose any issue related to ad replication?
Use tools like Repadmin and DCDiag to check replication status, review event logs, and verify network connectivity between domain controllers.
10. What do intersite and intra-site replication explain?
11. What are Authoritative and Non-authoritarian restoration?
Active Directory is backed up as part of the system state, a collection of system components that depend on each other. You must back up and restore system state components together.
Components that comprise the system state on a domain controller include:
- System Start-up Files (boot files). These are the files required for Windows 2000 Server to start.
- System registry.
- Class registration database of Component Services. The Component Object Model (COM) is a binary standard for writing component software in a distributed systems environment.
- SYSVOL. The system volume provides a default Active Directory location for files that must be shared for common access throughout a domain. The SYSVOL folder on a domain controller contains:
- NETLOGON shared folders. These usually host user logon scripts and Group Policy objects (GPOs) for non-Windows 2000 based network clients.
- User logon scripts for Windows 2000 Professional-based clients and clients that are running Windows 95, Windows 98, or Windows NT 4.0.
- Windows 2000 GPOs.
- File system junctions.
- File Replication service (FRS) staging directories and files that are required to be available and synchronized between domain controllers.
- Active Directory. Active Directory includes:
- Ntds.dit: The Active Directory database.
- Edb.chk: The checkpoint file.
- Edb*.log: The transaction logs, each 10 megabytes (MB) in size.
- Res1.log and Res2.log: Reserved transaction logs.
Note: If you use Active Directory-integrated DNS, then the zone data is backed up as part of the Active Directory database. If you do not use Active Directory-integrated DNS, you must explicitly back up the zone files. However, if you back up the system disk along with the system state, zone data is backed up as part of the system disk.If you installed Windows Clustering or Certificate Services on your domain controller, they are also backed up as part of system state.
Non-authoritative restoration of Active Directory
A non-authoritative restore returns the domain controller to its state at the time of backup, then allows normal replication to overwrite that state with any changes that have occurred after the backup was taken. After you restore the system state, the domain controller queries its replication partners. The replication partners replicate any changes to the restored domain controller, ensuring that the domain controller has an accurate and updated copy of the Active Directory database.
Non-authoritative restore is the default method for restoring Active Directory, and you will use it in most situations that result from Active Directory data loss or corruption. To perform a non-authoritative restore, you must be able to start the domain controller in Directory Services Restore Mode.
Non-authoritative restoration of SYSVOL
When you non-authoritatively restore the SYSVOL, the local copy of SYSVOL on the restored domain controller is compared with that of its replication partners. After the domain controller restarts, it contacts its replication partners, compares SYSVOL information, and replicate the any necessary changes, bringing it up-to-date with the other domain controllers within the domain.
Perform a non-authoritative restore of SYSVOL if at least one other functioning domain controller exists in the domain. This is the default method for restoring SYSVOL and occurs automatically if you perform a non-authoritative restore of the Active Directory.
If no other functioning domain controller exists in the domain, then perform a primary restore of the SYSVOL. A primary restore builds a new File Replication service (FRS) database by loading the data present under SYSVOL on the local domain controller. This method is the same as a non-authoritative restore, except that the SYSVOL is marked primary.
Authoritative restoration of Active Directory
An authoritative restore is an extension of the non-authoritative restore process. You must perform the steps of a non-authoritative restore before you can perform an authoritative restore. The main difference is that an authoritative restore has the ability to increment the version number of the attributes of all objects in an entire directory, all objects in a subtree, or an individual object (provided that it is a leaf object) to make it authoritative in the directory. Restore the smallest unit necessary, for example, do not restore the entire directory in order to restore a single subtree.
As with a non-authoritative restore, after a domain controller is back online, it will contact its replication partners to determine any changes since the time of the last backup. However, because the version number of the object attributes that you want to be authoritative will be higher than the existing version numbers of the attribute held on replication partners, the object on the restored domain controller will appear to be more recent and therefore will be replicated out to the rest of the domain controllers within the environment.
Unlike a non-authoritative restore, an authoritative restore requires the use of a separate tool, Ntdsutil.exe. No backup utilities— including the Windows 2000 Server system tools— can perform an authoritative restore.
An authoritative restore will not overwrite new objects that have been created after the backup was taken. You can authoritatively restore only objects from the configuration and domain-naming contexts. Authoritative restores of schema-naming contexts are not supported.
Perform an authoritative restore when human error is involved, such as when an administrator accidentally deletes a number of objects and that change replicates to the other domain controllers and you cannot easily recreate the objects. To perform an authoritative restore, you must start the domain controller in Directory Services Restore Mode.
Authoritative restoration of SYSVOL
By authoritatively restoring the SYSVOL, you are specifying that the copy of SYSVOL that is restored from backup is authoritative for the domain. After the necessary configurations have been made, Active Directory marks the local SYSVOL as authoritative and it is replicated to the other domain controllers within the domain.
The authoritative restore of SYSVOL does not occur automatically after an authoritative restore of Active Directory. Additional steps are required.
As with Active Directory authoritative restore, you typically perform an authoritative restore of SYSVOL when human error is involved and the error has replicated to other domain controllers. For example, you might perform an authoritative restore of SYSVOL if an administrator has accidentally deleted an object that resides in SYSVOL, such as a Group Policy object.
for more details check this article https://www.yourcomputer.in/authoritative-vs-non-authoritative-restoration-of-active-directory/
12. How can you restore deleted objects in Active Directory?
Using the Active Directory Recycle Bin feature or by performing an authoritative restore from a backup.
13. What is the Tombstone period?
The tombstone lifetime in an Active Directory forest determines how long a deleted object (called a “tombstone”) is retained in Active Directory Domain Services (AD DS). The tombstone lifetime is determined by the value of the tombstone lifetime attribute on the Directory Service object in the configuration directory partition.
The Typical lifetime is 180 days
14. What are Lingering Objects?
Lingering objects can occur if a domain controller does not replicate for an interval of time that is longer than the tombstone lifetime (TSL). The domain controller then reconnects to the replication topology. Objects that are deleted from the Active Directory directory service when the domain controller is offline can remain on the domain controller as lingering objects.
15. What Is Strict Replication and How Do You Enable?
Strict Replication is a mechanism developed by Microsoft developers for Active Directory Replication. If a domain controller has the Strict Replication enabled then that domain controller will not get “Lingering Objects” from a domain controller that was isolated for more than the TombStone Life Time. TSL is 180 days by default on a Forest created with Windows Server 2003 SP1.
A domain controller shouldn’t be out of sync for more than this period. Lingering Objects may appear on other domain controllers if replication happens with the outdated domain controllers. These domain controllers will not replicate with the outdated domain controllers if you have set the below-mentioned registry key.You must set the following registry setting on all the domain controllers to enable Strict Replication:
- KEY Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
- Registry Entry: Strict Replication Consistency
- Value: 1 (enabled), 0 (disabled)
- Type: REG_DWORD
16. Explain the purpose of the Schema Master role in Active Directory..
The Schema Master is responsible for maintaining and modifying the schema, which defines the attributes and structure of objects in the directory
17. What is the purpose of the PDC Emulator role in Active Directory?
The PDC Emulator is responsible for time synchronization within the domain, processing password changes, and acting as the primary domain controller for Windows NT 4.0 BDCs.
18. How do you find the server holding DHCP?
- Open Command Prompt.
- Type netsh.
- At the netsh> command prompt, type dhcp.
- At the netsh dhcp> command prompt, type show server. This will give you a list of servers within the current Active Directory domain.
19. How to configure the DHCP server?
Refer to this article https://www.yourcomputer.in/configure-high-availability-on-dhcp-server/
20. If users are not getting IP from the DHCP servers what steps do you take to fix the issue?
- Check the DHCP Service
- Check the DHCP IP Helper IP is correct in the Router or Firewall
- Check the VLAN tagging is correct in the Server network Switch
- Check the IP address in a DHCP pool is not exhausted
21. What is the process of a user getting IP from the DHCP Server?
- DORA PROCESS
- DISCOVER: When a client is configured with the ip setting to obtain Ip address automatically. Then the client will search for the DHCP server and the UDP Broadcast to the server about the DHCP discover
- OFFER: The DHCP Server will offer a scope of IP addresses available in the pool.
- REQUEST: In response to the offer, the Client will request an IP address.
- ACKNOWLEDGE: In response to the request, the server will respond with all IP address, Mask, Gty, DNS, and wins info along with the acknowledgment packet.
- DHCP Message Types
This DHCP message type is used by the DHCP client to discover DHCP servers.
This DHCP message type is used by the DHCP server to respond to a received DHCPDISCOVER message and also offers configuration details at that time.
This message comes from a client and to the DHCP server to convey three various messages. The first is to request configuration details from one specific DHCP server and specifically reject offers from any other potential DHCP servers. Secondly, it can be used for verification of previously used IP addresses after a system has undergone a reboot. Lastly, it can be used to extend the lease of a specific IP address.
22. How can we seize AD roles?
It can be done through the Powershell command check this article https://www.yourcomputer.in/upgrade-active-directory-2012-to-2022/#power-shell-cli-to-transfer-fsmo-roles
23. What is Kerberos and its process?
Kerberos is a network authentication protocol used by Active Directory for secure authentication, providing mutual authentication between clients and servers.
24. What contains system state backup?
Following system components as System State data:
- COM+ class registration database
- Boot files, including the system files
- Certificate services database
- Active Directory
- The system volume
If the workstation is a domain controller, the following components are backed up:
- Active Directory (NTDS)
- The system volume (SYSVOL)
If the workstation is a certificate server, then the related data is also backed up. Many security and other disasters can be fixed by restoring System State to a good configuration.
- How you can take the backup of DC?
- Are you aware of the ITIL Process?
- Explain the process in ITIL like Incident Management, Change Management, and Problem Mgmt.
- How do you do the patching?
- Did you know SCOM and its configuration?
- What is the ticketing tool used?
- How to upgrade the O/S?
- What are all the different modes of O/S?
25. Differentiate between a Forest and a Domain in Active Directory
A domain is a logical grouping of objects within Active Directory, while a forest is a collection of domains that share a common schema, configuration, and global catalog.
26. Explain LDAP (Lightweight Directory Access Protocol) and its role in an Active Directory
LDAP is a protocol used to access and manage directory services. Active Directory uses LDAP for communication between clients and servers for querying and modifying directory information.
27. What are all the files containing the AD Database?
Windows 2000 Active Directory data store, the actual database file, is %SystemRoot%\ntds\NTDS.DIT. The ntds.dit file is the heart of Active Directory including user accounts. Active Directory’s database engine is the Extensible Storage Engine ( ESE ) which is based on the Jet database used by Exchange 5.5 and WINS. The ESE has the capability to grow to 16 terabytes which would be large enough for 10 million objects. Back to the real world. Only the Jet database can manipulate information within the AD data store.
For information on domain controller configuration to optimize Active Directory,
The Active Directory ESE database, NTDS.DIT, consists of the following tables:
the types of objects that can be created in the Active Directory, the relationships between them, and the optional and mandatory attributes on each type of object. This table is fairly static and much smaller than the data table.
contains linked attributes, which contain values referring to other objects in the Active Directory. Take the MemberOf attribute on a user object. That attribute contains values that reference groups to which the user belongs. This is also far smaller than the data table.
users, groups, application-specific data, and any other data stored in the Active Directory. The data table can be thought of as having rows where each row represents an instance of an object such as a user, and columns where each column represents an attribute in the schema such as GivenName.
28. What is LDAP Filtering in Active Directory?
LDAP Filtering is used to customize queries for specific attributes, allowing more precise searches for objects in Active Directory.
29. How do you raise the functional level of a domain or forest?
Use the Active Directory Domains and Trusts or Active Directory Users and Computers console to raise the domain/forest functional level.
30. How can you secure Active Directory against unauthorized access?
Implement secure password policies, enable auditing, restrict physical access to domain controllers, and regularly review permissions and group memberships.
31. Explain the purpose of SYSVOL in Active Directory.
SYSVOL is a shared directory that stores the server’s copy of the domain’s public files, such as policies, scripts, and group policy objects.
32. What is Group Policy in Active Directory?
Group Policy is a feature in Active Directory that allows administrators to define and control user and computer settings across the network.
33. Explain the purpose of Active Directory Sites and Services.
Active Directory Sites and Services are used to manage the replication topology and control the flow of traffic between sites in a distributed network.
34. What is a Trust Relationship in Active Directory?
A Trust Relationship establishes a secure communication path between domains, allowing users from one domain to access resources in another.
35. GPMC & RSOP in Active Directory?
The Group Policy Management Console (GPMC) centralizes Group Policy management throughout a company. Prior to the GPMC, administrators had to use many tools to handle Group Policy.
The term “Resultant Set of Policy” (RSoP) refers to all group policies that have been applied to a user or computer. In Microsoft Windows systems, an RSoP program (Rsop.msc) is available to collect computer-specific policy information and generate a report on the group policy settings that are applied to users and computers.
36. How do you delegate administrative control in Active Directory?
Through Active Directory Delegation of Control Wizard, allowing administrators to assign specific tasks and permissions to users or groups.
37. What is DNS and its role in Active Directory?
Domain Name System (DNS) resolves domain names to IP addresses. In Active Directory, DNS is crucial for locating domain controllers and other AD resources.
38. What is the purpose of the RID Master role in Active Directory?
The RID Master is responsible for allocating unique relative identifiers (RID) to each domain controller in a domain, ensuring the uniqueness of Security Identifiers (SIDs).
39. What is multimaster replication?
Active Directory uses multimaster replication to accomplish the synchronization of directory information. True multi-master replication can be contrasted with other directory services that use a master-slave approach to updates wherein all updates must be made to the master copy of the directory and then be replicated to the slave copies. This system is adequate for a directory that has a small number of copies and for an environment where all of the changes can be applied centrally.
But this approach does not scale beyond small-sized organizations nor does it address the needs of decentralized organizations. With Active Directory, no one domain controller is the master. Instead, all domain controllers within a domain are equivalent. Changes can be made to any domain controller, unlike a single-master system, where changes must be made to one server. In the single-master system, the primary server replicates the updated information to all other directory servers in the domain.
With multi-master replication, it is not necessary for every domain controller to replicate with every other domain controller. Instead, the system implements a robust set of connections that determines which domain controllers replicate to which other domain controllers to ensure that networks are not overloaded with replication traffic and that replication latency is not so long that it causes inconvenience to users. The set of connections through which changes are replicated to domain controllers in an enterprise is called the replication topology.
Multimaster update capability provides a high availability of write access to directory objects because several servers can contain writable copies of an object. Each domain controller in the domain can accept updates independently, without communicating with other domain controllers. The system resolves any conflicts in updates to a specific directory object. If updates cease and replication continues, all copies of an object eventually reach the same value.
The manner in which a directory service stores information directly determines the performance and scalability of the directory service. Directory services must handle a large number of queries compared to the number of updates they must process. A typical ratio of queries to updates is 99:1. By creating multiple copies of the directory and keeping the copies consistent, the directory service can handle more queries per second.
Multimaster replication provides the following advantages over single-master replication:
- If one domain controller becomes inoperable, other domain controllers can continue to update the directory. In single-master replication, if the primary domain controller becomes inoperable, directory updates cannot take place. For example, if the failed server holds your password and your password has expired, you cannot reset your password and therefore you cannot log on to the domain.
- Servers that are capable of making changes to the directory, which in Windows 2000 are domain controllers, can be distributed across the network and can be located in multiple physical sites.
40. Define each of the following names: DN, RDN, GUID, UPN.
- DN (Distinguished Name):
- Definition: A Distinguished Name is a unique identifier for an entry in the directory. It represents the entry’s position in the hierarchy of the directory tree and includes information about its location within the directory structure.
- RDN (Relative Distinguished Name):
- Definition: The Relative Distinguished Name is the part of the Distinguished Name that identifies an entry within its immediate parent container. It is the name of the entry relative to its parent.
- GUID (Globally Unique Identifier):
- Definition: A Globally Unique Identifier is a 128-bit value that is globally unique and typically assigned to objects in Active Directory. It ensures that each object has a unique identifier across the entire domain.
- UPN (User Principal Name):
- Definition: A User Principal Name is a user identifier in the form of an email address-style name (user@domain). It is used to log in to a domain and is an alternative to the traditional domain\username format. UPNs are user-friendly and often match email addresses for simplicity.
41. What is the difference between a site link and a connection object?
The site link is a logical configuration defining the replication parameters between Active Directory sites, specifying when and how replication occurs. On the other hand, a connection object represents the physical link between specific domain controllers in different sites, embodying the actual communication path for replication. Site links are high-level and logical, while connection objects are concrete and physical representations within the replication topology.
42. Explain the difference between a domain and a forest in Active Directory.
A domain is a logical grouping of network objects, such as computers and users, while a forest is a collection of domains that share a common schema, configuration, and global catalog.
43. Which command is used to create the application directory partition?
DnsCmd ServerName /EnlistDirectoryPartition FQDN of partition
Default settings for password policy
44. What is Organization Unit?
An Organizational Unit (OU) is a container in Active Directory used for organizing and managing objects, such as users and computers. It provides a way to structure the directory, delegate administrative tasks, apply group policies, and simplify the administration of resources within an organization.
45. Explain the difference between a User Principal Name (UPN) and a Domain User Account.
A UPN is a user login name in email address format (firstname.lastname@example.org), while a Domain User Account is the traditional username associated with a specific domain.
46. What is Loopback Group Policy?
Ans:- Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policies applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply Group Policy Objects (GPOs) that depend only on which computer the user logs on to.
47. Explain the concept of Group Nesting in Active Directory.
Group Nesting involves adding one group as a member of another group. It simplifies access management by allowing multiple users to be granted permissions through group memberships.
48. Explain the difference between Security Groups and Distribution Groups in Active Directory.
Security Groups are used for security-related purposes, such as assigning permissions, while Distribution Groups are used for email distribution. Users can be added to both types of groups.
49. How to Migrate/Upgrade Active Directory from Server 2008/2012/2016 to Windows Server 2019/2022?
50. How to count the number of Objects in the Active Directory
51. What is the purpose of the Infrastructure Master role in Active Directory?
The Infrastructure Master is responsible for updating references from objects in its domain to objects in other domains.