Active Directory Interview Questions & Answers

 Category 1: Basic Concepts & Fundamentals 

1. What is Active Directory (AD)?

   Answer: Active Directory is a directory service developed by Microsoft for Windows domain networks. It is a centralized database that stores information about network resources (users, computers, printers, etc.) and provides authentication and authorization services. Essentially, it's the "phone book" for your network that also acts as a security guard.

2. What is the difference between a Workgroup and a Domain?

   Answer:

       Workgroup: A peer-to-peer network where each computer has its own local user database. Authentication is decentralized. Suitable for very small networks (e.g., less than 10 computers). No central administration.

       Domain: A client-server network where a central server (Domain Controller) manages security and authentication for all computers and users. Provides centralized administration and is scalable for large organizations.

3. What is a Domain Controller (DC)?

   Answer: A Domain Controller is a server that runs Active Directory Domain Services (AD DS). It responds to security authentication requests (logins, permission checks) within a Windows domain. It holds a writable copy of the AD database.

 

4. What is the SYSVOL folder?

   Answer: The SYSVOL folder is a shared directory on a Domain Controller that stores the server's copy of the domain's public files, such as Group Policy Objects (GPOs) and login scripts. It is critical for replication and policy enforcement across the domain.

 

5. What is the Active Directory Schema?

   Answer: The Schema is the blueprint of the Active Directory database. It defines the types of objects (like users, computers, groups) that can be stored and the attributes (properties) for each object (e.g., a user object has attributes like `FirstName`, `LastName`, `Password`). Modifying the schema is a major operation.

 

6. Name some common AD objects.

   Answer: User, Computer, Group, Printer, Shared Folder, Organizational Unit (OU).

 

---

 

 Category 2: Core Components & Structure

 

7. What is a Forest, Tree, and Domain? Explain the logical hierarchy.

   Answer:

       Forest: The top-level logical container. A forest is a collection of one or more domain trees that share a common schema, configuration, and global catalog. It represents the total security boundary for an organization.

       Tree: A collection of one or more domains connected by a contiguous namespace. For example, `root.com` and `child.root.com` form a tree.

       Domain: A logical group of network objects (users, devices) that share the same AD database. It is the core unit of replication and security policy.

 

8. What is an Organizational Unit (OU)? How is it different from a Group?

   Answer:

       Organizational Unit (OU): A container used to organize objects within a domain for administrative purposes, such as applying Group Policies or delegating control. OUs are used for structure and policy application. (e.g., an OU for "Sales Users").

       Group: A collection of users, computers, or other groups used primarily to assign permissions to resources (like files or printers). (e.g., a group with "Read Access to the Sales Share"). Permissions are assigned to groups, not OUs.

 

9. What is the Global Catalog (GC)?

   Answer: The Global Catalog is a distributed data repository that contains a partial, read-only replica of every object in the forest. It enables users and applications to find objects in any domain within the forest without needing to know the domain name. It is crucial for the logon process (especially with Universal Groups) and forest-wide searches.

 

10. What are the different AD Partitions?

   Answer: The AD database is divided into partitions for efficient replication:

       Domain Partition: Contains domain-specific objects (users, computers, OUs).

       Schema Partition: Contains the definition of object classes and attributes for the entire forest.

       Configuration Partition: Contains information about the forest's physical topology (sites, subnets, etc.).

 

---

 

 Category 3: Administration & Management

 

11. What is Group Policy?

   Answer: Group Policy is a feature that allows administrators to implement specific configurations for users and computers. Group Policy Objects (GPOs) are collections of settings that can be linked to sites, domains, or OUs to enforce security, deploy software, and configure desktop environments centrally.

 

12. What is the order of Group Policy Application? (LSDOU)

   Answer: The order is often remembered by the acronym LSDOU:

    1.  Local: The local policy on the computer itself.

    2.  Site: Policies linked to the Active Directory site.

    3.  Domain: Policies linked to the domain.

    4.  OU: Policies linked to the Organizational Unit (applied from parent OU to child OU).

       Note: Later settings override earlier ones by default. Enforcement and Block Inheritance can change this behavior.

 

13. What are the different types of AD groups? (AGDLP/AGUDLP)

   Answer:

       Group Scope: Defines the reach of the group's membership.

           Domain Local: Can contain members from any domain but can only be assigned permissions to resources in its own domain.

           Global: Can contain members only from its own domain but can be assigned permissions to any resource in the forest.

           Universal: Can contain members from any domain and can be assigned permissions to any resource in the forest. Requires the domain to be in at least Windows 2000 Native mode.

       Group Type:

           Security Group: Used to assign permissions.

           Distribution Group: Used for email distribution lists (non-security related).

 

14. Explain the AGDLP best practice.

   Answer: Accounts go into Global groups. Global groups go into Domain Local groups. Permissions are assigned to the Domain Local groups. This strategy provides flexibility, reduces replication traffic, and simplifies cross-domain permission management.

 

15. What is AD Replication?

   Answer: AD Replication is the process of synchronizing the Active Directory database between multiple Domain Controllers to ensure consistency across the network. It uses a multi-master replication model, meaning changes can be made on any DC and will be replicated to others.

 

16. What are AD Sites, and what is their purpose?

   Answer: An AD Site is an object that represents a well-connected TCP/IP subnet. Sites are used to:

       Control Replication Traffic: Replication within a site (intra-site) is frequent and uncompressed. Replication between sites (inter-site) is scheduled and compressed to conserve bandwidth.

       Authenticate Users: Helps clients find a local Domain Controller for faster logon and resource access.

 

---

 

 Category 4: Advanced & Troubleshooting

 

17. What are the FSMO Roles? Name and describe each.

   Answer: FSMO (Flexible Single Master Operations) roles are specific roles held by one DC in a forest or domain to handle tasks that are impractical for multi-master replication. There are five roles:

       Forest-Wide Roles:

           Schema Master: Controls all updates to the schema.

           Domain Naming Master: Controls the addition and removal of domains in the forest.

       Domain-Wide Roles (each domain has its own):

           PDC Emulator: Acts as the primary time source, handles password changes, and manages Group Policy edits.

           RID Master: Allocates pools of unique Relative Identifiers (RIDs) to other DCs in the domain for creating security principals (users, groups, computers).

           Infrastructure Master: Updates references to objects in other domains.

 

18. How do you check which DC holds a FSMO role?

   Answer:

    1.  Using Command Line: `netdom query fsmo`

    2.  Using Active Directory Users and Computers: Right-click the domain -> "Operations Masters" for the PDC, RID, and Infrastructure roles.

    3.  Using Active Directory Domains and Trusts: For the Domain Naming Master.

    4.  Using Active Directory Schema: For the Schema Master (the schema snap-in may need to be registered first via `regsvr32 schmmgmt.dll`).

 

19. What is the AD Recycle Bin?

   Answer: The AD Recycle Bin is a feature that allows administrators to restore deleted Active Directory objects without using an authoritative restore and rebooting a Domain Controller. It must be enabled before use, as it cannot be enabled retroactively.

 

20. What is the difference between authoritative and non-authoritative restore?

   Answer:

       Non-Authoritative Restore: The restored data is considered old. During replication, other DCs will overwrite the restored data with the "newer" data from the live environment. This is used when a single DC fails and you need to rebuild it.

       Authoritative Restore: The restored data is marked as the "newest" version and will overwrite the data on other DCs during replication. This is used to recover objects that were accidentally deleted from the entire domain. Done after a non-authoritative restore using `ntdsutil`.

 

21. What command-line tools do you use for AD management?

   Answer:

       `dsa.msc` (Active Directory Users and Computers MMC)

       `dsquery` / `dsget` / `dsmod` / `dsadd` / `dsrm`: Command-line utilities for querying and modifying AD.

       `nltest`: Useful for checking domain trust and DC discovery.

       `repadmin`: The ultimate tool for diagnosing replication issues.

       `dcdiag`: A comprehensive tool for analyzing the state of Domain Controllers.

       `gpresult` / `gpupdate`: For Group Policy results and forcing updates.

       `netdom`: For managing domains and trust relationships.

 

---

 

 Category 5: Scenario-Based & Problem-Solving

 

22. A user calls and says, "I changed my password yesterday, but today my old password still works." What could be the issue?

   Answer: This is likely a replication issue. The password change was made on one Domain Controller but has not yet replicated to the DC that the user's computer is authenticating against today. Use `repadmin` to check replication health between DCs.

 

23. A user complains that logins are very slow, but the network is otherwise fine. What are some possible AD-related causes?

   Answer:

       The user's computer is authenticating to a Domain Controller in a remote site over a slow WAN link (check AD Sites and Subnets configuration).

       A DNS issue: The client cannot quickly locate a Domain Controller. (DNS should point to an internal DC).

       Group Policy processing is slow due to a large script or a hung policy.

 

24. How would you delegate control to allow the Help Desk to reset user passwords, but not change any other properties?

   Answer: Using the "Delegation of Control Wizard" in Active Directory Users and Computers. You would select the OU containing the users, add the Help Desk group, and delegate the specific task "Reset user passwords" without giving them full administrative control.

 

25. If you suspect a DC is not replicating, what steps would you take?

   Answer:

    1.  Basic Check: Use `dcdiag` on the suspect DC to run a series of tests.

    2.  Check Replication Partners: Use `repadmin /showrepl` to view replication partners and the status of the last replication attempt.

    3.  Force Replication: Use `repadmin /syncall` to attempt a manual sync and look for errors.

    4.  Check Connectivity: Ensure necessary ports (like 389, 445, 88) are open between DCs.

    5.  Check DNS: DCs must be able to resolve each other's names correctly via DNS.

 

 

Good luck with your interview!