Active Directory (AD) Interview Questions and Answers- Part-1

1. What is Active Directory?

Answer-Active Directory (AD) is a directory service developed by Microsoft and used to store objects like User, Computer, printer, Network information, It facilitate to manage your network effectively with multiple Domain Controllers in different location with AD database, able to manage/change AD from any Domain Controllers and this will be replicated to all other DC’s, centralized Administration with multiple geographical location and authenticates users and computers in a Windows domain.

2. Define Active Directory?

Answer-Active Directory is a database that stores data pertaining to the users within a network as well as the objects within the network. Active Directory allows the compilation of networks that connect with AD, as well as the management and administration thereof.

3. What is Domain?

Answer-Active Directory Domain Services is Microsoft’s Directory Server. It provides authentication and authorization mechanisms as well as a framework within which other related services can be deployed.

4. What is Active Directory Domain Controller (DC)?

Answer-Domain Controller is the server which holds the AD database, All AD changes get replicated to other DC and vise vase.

5. What is a domain within Active Directory?

Answer-A domain represents the group of network resources that includes computers, printers, applications and other resources. Domains share a directory database. The domain is represented by address of the resources within the database. A domain address generally looks like 125.170.456. A user can log into a domain to gain access to the resources that are listed as part that domain.

6.What is the domain controller?

Answer-The server that responds to user requests for access to the domain is called the Domain Controller or DC. The Domain Controller allows a user to gain access to the resources within the domain through the use of a single username and password.

7.What is Tree?

Answer-Tree is a hierarchical arrangement of windows Domain that share a contiguous name space.

8.What is Forest?

Answer-Forest consists of multiple Domains trees. The Domain trees in a forest do not form a contiguous name space however share a common schema and global catalog (GC).

9. Explain what domain trees and forests are?

Answer-Domains that share common schemas and configurations can be linked to form a contiguous namespace. Domains within the trees are linked together by creating special relationships between the domains based on trust. Forests consist of a number of domain trees that are linked together within AD, based on various implicit trust relationships. Forests are generally created where a server setup includes a number of root DNS addresses. Trees within the forest do not share a contiguous namespace.

10.What is Schema?

Answer-Active directory schema is the set of definitions that define the kinds of object and the type of information about those objects that can be stored in Active Directory Active directory schema is Collection of object class and there attributes Object Class = User Attributes = first name, last name, email, and others

11.What is FSMO?

Answer-FSMO (flexible single master operations) is a specialized domain controller (DC) set of tasks, used where standard data transfer and update methods are inadequate. AD normally relies on multiple peer DCs, each with a copy of the AD database, being synchronized by multi-master replication.

12.Tell me about the FSMO roles?

Answer-Schema Master Domain Naming Master Infrastructure Master RID Master PDC

Schema Master The schema is shared between every Tree and Domain in a forest and must be consistent between all objects. The schema master controls all updates and modifications to the schema.

Domain Naming Master The Domain Naming Master FSMO role owner is the DC responsible for making changes to the forest-wide domain name space of the directory in the Partitions container.

Infrastructure Master The Infrastructure FSMO role is one of the three “per domain” Operations Masters. The infrastructure FSMO keeps its domain’s references to objects in other domains up-to-date by comparing its data with information in the Global Catalog (GC).

RID Master This SID consists of a domain SID (the same for all SIDs created in a domain) and a relative ID (RID) that is unique for each security principal SID created in a domain. RIDs are allocated from a RID pool that is controlled by the RID Master FSMO.

Relative ID (RID) Master Allocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in the domain) and a RID which is unique to the Domain. When moving objects between domains you must start the move on the DC which is the RID master of the domain that currently holds the object.

PDC Microsoft recommends the careful division of FSMO roles, with standby DCs ready to take over each role. The PDC emulator and the RID master should be on the same DC, if possible. The Schema Master and Domain Naming Master should also be on the same DC.

PDC Emulator The PDC emulator acts as a Windows NT PDC for backwards compatibility, it can process updates to a BDC.It is also responsible for time synchronizing within a domain. It is also the password master (for want of a better term) for a domain. Any password change is replicated to the PDC emulator as soon as is practical. If a logon request fails due to a bad password the logon request is passed to the PDC emulator to check the password before rejecting the login request.

13. How to check which server holds which role?

Answer-Netdom query FSMO.

14. What is LDAP?

Answer-LDAP is an acronym for Lightweight Directory Access Protocol and it refers to the protocol used to access, query and modify the data stored within the AD directories. LDAP is an internet standard protocol that runs over TCP/IP.

15. Explain what intrasite and intersite replication is and how KCC facilitates replication?

Answer-The replication of DC’s inside a single site is called intrasite replication whilst the replication of DC’s on different sites is called Intersite replication. Intrasite replication occurs frequently while Intersite replication occurs mainly to ensure network bandwidth. KCC is an acronym for the Knowledge Consistency Checker. The KCC is a process that runs on all of the Domain Controllers. The KCC allows for the replication topology of site replication within sites and between sites. Between sites, replication is done through SMTP or RPC whilst Intersite replication is done using procedure calls over IP.

16. Name a few of the tools available in Active Directory and which tool would you use to troubleshoot any replication issues?

Answer-Active Directory tools include: • Dfsutil.exe • Netdiag.exe • Repadmin.exe • Adsiedit.msc • Netdom.exe • Replmon.exe Replmon.exe is a graphical tool designed to visually represent the AD replication. Due to its graphical nature, replmon.exe allows you to easily spot and deal with replication issues.

17. What tool would you use to edit AD?

Answer-Adsiedit.msc is a low level editing tool for Active Directory. Adsiedit.msc is a Microsoft Management Console snap-in with a graphical user interface that allows administrators to accomplish simple tasks like adding, editing and deleting objects with a directory service. The Adsiedit.msc uses Application Programming Interfaces to access the Active Directory. Since Adsiedit.msc is a Microsoft Management Console snap-in, it requires access MMC and a connection to an Active Directory environment to function correctly.

18. How would you manage trust relationships from the command prompt?

Answer-Netdom.exe is another program within Active Directory that allows administrators to manage the Active Directory. Netdom.exe is a command line application that allows administrators to manage trust relationship within Active Directory from the command prompt. Netdom.exe allows for batch management of trusts. It allows administrators to join computers to domains. The application also allows administrators to verify trusts and secure Active Directory channels.

19. Where is the AD database held and how would you create a backup of the database?

Answer-The database is stored within the windows NTDS directory. You could create a backup of the database by creating a backup of the System State data using the default NTBACKUP tool provided by windows or by Symantec’s Netbackup. The System State Backup will create a backup of the local registry, the Boot files, the COM+, the NTDS.DIT file as well as the SYSVOL folder.

20. What is SYSVOL, and why is it important?

Answer-SYSVOL is a folder that exists on all domain controllers. It is the repository for all of the active directory files. It stores all the important elements of the Active Directory group policy. The File Replication Service or FRS allows the replication of the SYSVOL folder among domain controllers. Logon scripts and policies are delivered to each domain user via SYSVOL. SYSVOL stores all of the security related information of the AD.

21. Briefly explain how Active Directory authentication works?

Answer-When a user logs into the network, the user provides a username and password. The computer sends this username and password to the KDC which contains the master list of unique long term keys for each user. The KDC creates a session key and a ticket granting ticket. This data is sent to the user’s computer. The user’s computer runs the data through a one-way hashing function that converts the data into the user’s master key, which in turn enables the computer to communicate with the KDC, to access the resources of the domain.

If you have any questions feel free to contact me on admin@windowstechno.com also follow me on facebook @windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

Leave a Reply