Active Directory Interview Questions and Answers

1. What is AD?
Active directory is a centralized database that contains information about objects and their attributed like Users, Groups, Computers, Printers, OUs, and Contacts & shared folders, domains, forest ant, Replication and trusts.
2. What is the Component of AD?
  • Logical Structure Component: Domains, Tress, Forests and OU.
  • Physical Structure Component: Sites and Domain Controllers.
3. What is the protocol used by AD for directory Access?
LDAP (Light Weight Directory Access Protocol)
4. What are the naming conventions used by LDAP?
  • DN (Distinguished Name):
  • CN=mycomputer,OU=MyOrganizationalUnit,DC=nakshatraitlabs,DC=com
  • RDN (Relative Distinguished Name):
  • UPN (User Principal Name):
  • GUID (Global Unique Identifier)
  • Canonical Name: Microsoft.com/MyOrganizationalUnit/
5. .What is a Forest?
Collection of trees which don’t share contiguous name space
6. What is a Domain?
Domain is collection of computers connected together with a server and users.
7. How to promote DC on a member server?
Start > Run > Type DCPROMO
8. What are the additional tools found after installing a DC?
Active Directory User and Computers,
Active Directory Sites and Services,
Active Directory Domain & Trust,
Domain Controller Security Policy,
Domain Security Policy
9. What is the diff. functional level of 2003?
Domain functional level:
Forest functional level:
10. What is the diff. operation master of 2003 and impact if in case any one is down?
Schema Master: Is responsible for overall management, structure and design of schema Only one schema master in entire forest
Domain naming master: Is responsible for addition or removal of domains and maintaining unique domain names only one domain naming master in entire forest
PDC Emulator: Is responsible for providing backup compatibility for NT BDCs, in mixed mode it acts like a PDC for BDCs. It updates the password changes, synchronizes time between DCs. Only one PDC Emulator per domain.
Infrastructure Master: Is responsible for updating user and group information and updating Global Catalog Only one infrastructure master per domain
RID Master: Relative identifier is responsible for assigning unique IDs to the object s created in the AD. Only one RID Master per domain.
11. How do you change the DS Restore admin password?
Start > Run > type ‘ntdsutil’ and click OK.
C:\Ntdsutil>set dsrm password
C:\Ntdsutil\set dsrm password>Reset password
C:\Ntdsutil\set dsrm password>quit
C:\Ntdsutil >quit
12. What are the scopes of Groups?
Local groups: These are truly local, defined on and available to a single computer. Local groups are created in the security accounts manager (SAM) database of a domain member computer on both workstations and servers have local groups.
Its Membership A local group can include as members:
• Any security principals from the domain: users, computers, global groups, or domain local groups.
• Users, computers, and global groups from any domain in the forest
• Users, computers, and global groups from any trusted domain.
• Universal groups defined in any domain in the forest.
Domain Local Groups: Domain local groups are used primarily to manage permissions to resources.
Its Membership: A domain local group can include as members:
• Any security principals from the domain: users, computers, global groups, or other domain local groups
• Users, computers, and global groups from any domain in the forest
• Users, computers, and global groups from any trusted domain
• Universal groups defined in any domain in the forest
Global Groups: Global groups are used primarily to define collections of domain objects based on business roles.
Its Membership: A global group can include as members users, computers, and other global groups in the same domain only.
Universal Groups:  A universal group is defined in a single domain in the forest but is replicated to the global catalog. Universal groups are useful in multidomain forests. They let you define roles, or manage resources, that span more than one domain.
Its Membership:  A universal group can include as members users, global groups,and other universal groups from any domain in the forest.
GROUP SCOPE
MEMBERS FROM THE SAME DOMAIN
MEMBERS FROM ANOTHER DOMAIN IN THE SAME FOREST
MEMBERS FROM A TRUSTED EXTERNAL DOMAIN
Local
Users, Computers
Global groups
Universal groups
Domain local groups
Local users defined on the same
computer as the local group
Users, Computers
Global groups
Universal groups
Users
Computers
Global
groups
Domain Local
Users, Computers
Global groups
Universal groups
Domain local groups
Users, Computers
Global groups
Universal groups
Users, Computers
Global groups
Global
Users, Computers
Global groups
Users, Computers
Global groups
Universal groups
N/A
Universal
Users, Computers
Global groups
Universal groups
N/A
N/A
13. What are Directory Partitions?
To scale to tens of millions of objects, a forest is partitioned into domains. Each Active Directory domain controller can be a member of one domain, and domain controllers within the same domain contain the same information. Domain controllers from different domains share the same configuration and schema data, but they do not share the same domain data. The means to distributing storage in this manner is the directory partition , which is also called a “naming context.”
In Active Directory, a directory partition is a portion of the directory namespace. Each directory partition contains a hierarchy of directory objects in the directory tree. The same directory partition can be stored as copies on many domain controllers.
Schema: Contains the Schema container, which stores class and attribute definitions for all existing and possible Active Directory objects in cn=schema,cn=configuration,dc= forestRootDomain . Updates to this container are replicated to all domain controllers in the forest. You can view the contents of the Schema container in the Active Directory Schema console.
Configuration: Contains the Configuration container, which stores configuration objects for the entire forest in cn=configuration,dc= forestRootDomain. Updates to this container are replicated to all domain controllers in the forest. Configuration objects store information about sites, services, and directory partitions. You can view the contents of the Configuration container by using ADSI Edit.
Domain: Contains a < domain > container, which stores users, computers, groups, and other objects for a specific domain. Updates to the < domain > container are replicated to only domain controllers within the domain and to Global Catalog servers. The hierarchy of domain directory partitions can be viewed in the Active Directory Domains and Trusts console, where trust relationships between domains can be managed.
Application directory partitions: An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only Domain controllers running Windows Server 2003 can host a replica of an application directory partition.
14. What is LDAP?
The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directorinformation services over an Internet Protocol (IP) network
The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories.
The LDAP directory service is based on a client-server model. The function of LDAP is to enable access to an existing directory.
15. Where is the AD database stored?
AD stores database n “C:\Windows\ntds\ntds.dit” as default location where as it can be changed during or after DC promotion.
There are some other files are generated in NTDS folder..
ntds.dit –  Actual file of AD database where the objects and its information is written.
edb.log  – Transaction written in this logs before written to AD database.
res1.log – It is a log file for reserve space during the low disk space.
res2.log – It is 2nd temp log file, used when res1 is filled.
edb.chk – It is a check point file and contains information of las transition written into AD databse.
16. What is AD replication and difference between Intersite and Intrasite replication?
In AD directory service maintain an exact copy of directory data on al domain controllers in a forest that ensure all updated directory  information available for all users.
All domain controllers within a forest hold a replica of the schema and configuration partitions for that forest and all domain controllers within a particular domain hold a replica of the domain partition for their domain.
Application directory partitions hold directory data specific to a particular application and can be stored by domain controllers belonging to different domains.
Active Directory uses remote procedure call (RPC) over Internet Protocol (IP) to transfer replication data between domain controllers. RPC over IP is used for both intersite and intrasite replication. To keep data secure while in transit, RPC over IP replication uses both authentication and data encryption.
Intrasite Replication:  The replication that occurs within all domain controllers within an AD site called Intra-site replication. The Active Directory Knowledge Consistency Checker (KCC) builds the intrasite replication topology using a bidirectional ring design. bidirectional ring topology attempts to create at least two connections to each domain controller (for fault tolerance) and no more than three hops between any two domain controllers.
Intersite Replication:  The replication that occurs between all domain controllers between two or more different AD sites called Intersite replication. The Active Directory Knowledge Consistency Checker (KCC) builds the intersite replication topology using a least-cost spanning tree design.
One domain controller per site, called the intersite topology generator, is assigned to build the topology.
17. What are the tools used in Active Directory?
DCDiag. NETDiag, Repadmin, Replmon, NLTest
18. What is tombstone lifetime in active directory?
The tombstone lifetime in an Active Directory determines for how longtime a deleted object (called a “tombstone”) is retained in Active Directory. The tombstone lifetime is determined by the value of the tombstoneLifetime attribute on the Directory Service object in the configuration directory partition.
19. What are the trusts in Active Directory?
20.  What are the port in `
21.

One thought on “Active Directory Interview Questions and Answers

Leave a Reply

Your email address will not be published. Required fields are marked *