Top 25 Active Directory Interview Questions and Answers for Windows Server Administrators


Windows Server Interview Questions and Answers – Section 2: Active Directory (25 Questions)

Active Directory is one of the most important topics for Windows Server administrators. Whether you are preparing for a Windows Server Administrator, System Administrator, Infrastructure Engineer, or Active Directory Administrator interview, you should understand not only the definitions but also how Active Directory works in a real enterprise environment.

In this section, we cover 25 important Active Directory interview questions and answers, from basic concepts such as domains and forests to advanced topics such as FSMO roles, RODC, Active Directory Recycle Bin, and disaster recovery.


Q1. What is Active Directory?

Answer:

Active Directory (AD) is Microsoft’s directory service used to centrally manage users, computers, groups, security policies, and other network resources in a Windows domain environment.

The primary Active Directory role used in most organizations is Active Directory Domain Services (AD DS).

Active Directory provides:

  • Centralized user authentication

  • Centralized authorization

  • User and computer management

  • Group management

  • Group Policy management

  • Resource access control

  • Domain-based administration

  • Replication between Domain Controllers

Real-World Example

Consider a company with 1,000 employees.

Without Active Directory, administrators would need to create and manage user accounts separately on individual computers.

With Active Directory:

  1. The administrator creates one domain account.

  2. The user can log in to authorized domain-joined computers.

  3. Group Policy automatically applies company security settings.

  4. Security groups control access to shared resources.

Interview Tip

Active Directory is the directory service, while AD DS is the Windows Server role that provides domain services.


Q2. What is a Domain?

Answer:

A domain is a logical administrative and security boundary within Active Directory.

It contains objects such as:

  • Users

  • Computers

  • Groups

  • Servers

  • Organizational Units

  • Group Policies

Example domain:

corp.example.com

A user account may appear as:

CORP\sharan

or:

sharan@corp.example.com

Key Point

A domain provides centralized:

  • Authentication

  • Authorization

  • Administration

  • Policy management


Q3. What is an Active Directory Forest?

Answer:

A forest is the highest-level logical structure in Active Directory.

A forest can contain one or more domains that share:

  • A common schema

  • A common configuration

  • A Global Catalog

  • Automatic transitive trust relationships

Example:

example.com

Child domains:

india.example.com

usa.example.com

uk.example.com

All these domains can exist within the same forest.

Important Interview Point

The forest is an important security and administrative boundary in Active Directory.


Q4. What is an Active Directory Tree?

Answer:

An Active Directory tree is a collection of one or more domains that share a contiguous DNS namespace.

Example:

example.com

india.example.com

hyderabad.india.example.com

These domains form a tree because their DNS namespaces are hierarchical and connected.

Forest vs Tree

A tree uses a contiguous namespace.

A forest may contain multiple trees with different DNS namespaces.


Q5. What is an Organizational Unit (OU)?

Answer:

An Organizational Unit is a container within an Active Directory domain used to organize objects.

An OU can contain:

  • Users

  • Computers

  • Groups

  • Other OUs

Example:

Company
India
Hyderabad
IT Department
Users

Main Uses of OUs

  • Apply Group Policies

  • Delegate administrative permissions

  • Organize Active Directory objects

Interview Tip

An OU is not a security boundary. It is primarily an administrative and Group Policy scope.


Q6. What is the difference between an OU and a Container?

Answer:

Both OUs and containers can hold Active Directory objects, but they are not identical.

An OU is designed for:

  • Group Policy linking

  • Administrative delegation

  • Logical organization

A default container, such as the built-in Users or Computers container, is primarily used to store objects and does not provide the same direct GPO-linking functionality as an OU.

Example

Default container:

CN=Users

Organizational Unit:

OU=Finance

Interview Point

If you need to apply a GPO directly to a collection of users or computers, organize them into an OU.


Q7. What is a Domain Controller?

Answer:

A Domain Controller (DC) is a Windows Server running Active Directory Domain Services.

A Domain Controller performs functions such as:

  • User authentication

  • Computer authentication

  • Directory searches

  • Group Policy processing support

  • Active Directory replication

  • Kerberos authentication

  • LDAP directory services

Recommended Enterprise Design

Organizations should normally deploy multiple Domain Controllers for redundancy and availability.

If one Domain Controller fails, another can continue providing authentication and directory services.


Q8. What is the Global Catalog?

Answer:

The Global Catalog (GC) is a distributed data repository that contains:

  • A full copy of objects from its own domain

  • A partial attribute set of objects from other domains in the forest

The Global Catalog helps with:

  • Forest-wide searches

  • User logon processes

  • Universal group membership evaluation

Common Port

Global Catalog LDAP:

TCP 3268

Global Catalog over SSL/TLS:

TCP 3269

Interview Scenario

If a multi-domain environment has Global Catalog availability problems, users may experience logon and directory search issues.


Q9. What is LDAP?

Answer:

LDAP stands for Lightweight Directory Access Protocol.

It is a protocol used to access and query directory services such as Active Directory.

Common ports:

  • LDAP: TCP/UDP 389

  • LDAPS: TCP 636

  • Global Catalog: TCP 3268

  • Global Catalog over SSL/TLS: TCP 3269

Example Distinguished Name

CN=Sharan Kumar,OU=IT,DC=corp,DC=example,DC=com

Applications can use LDAP to:

  • Search users

  • Query groups

  • Read directory attributes

  • Authenticate or integrate with directory services


Q10. What is Kerberos?

Answer:

Kerberos is the primary authentication protocol used in modern Active Directory domain environments.

Kerberos uses a ticket-based authentication system.

Important components include:

  • Client

  • Service

  • Key Distribution Center (KDC)

  • Ticket Granting Ticket (TGT)

  • Service Ticket

Simplified Authentication Flow

User logs in
→ Requests authentication
→ Receives a TGT
→ Requests a service ticket
→ Accesses the requested service

Common Port

TCP/UDP 88

Important Requirement

Time synchronization is critical for Kerberos authentication.

Large clock differences can cause authentication failures.


Q11. What is NTLM?

Answer:

NTLM is an older Microsoft authentication protocol.

It uses a challenge-response mechanism.

NTLM may still be used when:

  • Kerberos cannot be used

  • A legacy application requires NTLM

  • A system is accessed in a workgroup scenario

  • Name resolution or SPN configuration prevents Kerberos authentication

Kerberos vs NTLM

Kerberos:

  • Ticket-based

  • Supports mutual authentication

  • Preferred in Active Directory environments

NTLM:

  • Challenge-response based

  • Older authentication protocol

  • Generally less capable than Kerberos for modern domain authentication

Security Best Practice

Reduce unnecessary NTLM usage where possible, but test application compatibility before restricting it.


Q12. What is SYSVOL?

Answer:

SYSVOL is a shared folder on Domain Controllers that stores important domain files.

It commonly contains:

  • Group Policy files

  • Logon scripts

  • Startup scripts

  • Shutdown scripts

Default path:

C:\Windows\SYSVOL

SYSVOL is shared so domain clients and other Domain Controllers can access required policy and script data.

Modern Active Directory environments use DFS Replication (DFSR) for SYSVOL replication.

Troubleshooting Commands

dcdiag

repadmin /replsummary

repadmin /showrepl


Q13. What is NETLOGON?

Answer:

NETLOGON is both an important Windows service and the name associated with a shared folder on Domain Controllers.

The Netlogon service helps support:

  • Domain authentication

  • Secure channel operations

  • Domain Controller location

  • Domain-related logon processes

The NETLOGON share commonly provides access to logon scripts.

Check Shares

net share

You will normally see:

SYSVOL

NETLOGON


Q14. What is NTDS.dit?

Answer:

NTDS.dit is the Active Directory database file stored on a Domain Controller.

Default location:

C:\Windows\NTDS\NTDS.dit

It contains directory information about objects such as:

  • Users

  • Groups

  • Computers

  • Organizational Units

  • Group memberships

  • Directory attributes

Security Point

The Active Directory database contains highly sensitive information and must be strongly protected.


Q15. What are FSMO Roles?

Answer:

FSMO stands for Flexible Single Master Operations.

Active Directory uses five FSMO roles for operations that should be handled by a designated Domain Controller.

Forest-Wide Roles

  1. Schema Master

  2. Domain Naming Master

Domain-Wide Roles

  1. RID Master

  2. PDC Emulator

  3. Infrastructure Master

Check FSMO Role Holders

netdom query fsmo

PowerShell:

Get-ADForest

Get-ADDomain


Q16. What is the RID Master?

Answer:

RID stands for Relative Identifier.

The RID Master allocates RID pools to Domain Controllers.

When a new security principal is created, such as a:

  • User

  • Group

  • Computer

the Domain Controller uses a RID to help generate a unique Security Identifier (SID).

SID Concept

Domain SID + RID = Unique Object SID

Failure Impact

If the RID Master is temporarily unavailable, Domain Controllers can continue creating security principals while they still have available RID pools.

Long-term RID Master failure can eventually prevent new security principals from being created.


Q17. What is the PDC Emulator?

Answer:

The PDC Emulator is one of the most operationally important FSMO roles.

Its responsibilities include:

  • Time synchronization hierarchy

  • Preferential handling of password changes

  • Account lockout coordination

  • Supporting certain Group Policy operations

  • Compatibility functions for older environments

Interview Scenario

If users recently changed their passwords but experience authentication inconsistencies, the PDC Emulator and AD replication should be investigated.

Time Service Command

w32tm /query /status


Q18. What is the Infrastructure Master?

Answer:

The Infrastructure Master helps maintain references to objects from other domains.

For example, if a user from Domain A is a member of a group in Domain B, the Infrastructure Master helps keep cross-domain object reference information updated.

Important Design Point

The historical placement guidance regarding the Infrastructure Master and Global Catalog is most relevant in multi-domain forests. The practical impact depends on the forest design and whether all Domain Controllers are Global Catalog servers.


Q19. What is the Schema Master?

Answer:

The Schema Master controls updates to the Active Directory schema.

The schema defines:

  • Object classes

  • Object attributes

Examples:

User objects may have attributes such as:

  • Name

  • Email address

  • Department

  • Telephone number

Important Point

There is only one Schema Master in an Active Directory forest.

Schema modifications should be carefully planned, tested, and backed up because schema changes affect the entire forest.


Q20. What is the Domain Naming Master?

Answer:

The Domain Naming Master controls changes to the domain namespace of an Active Directory forest.

It is involved when:

  • Adding a domain

  • Removing a domain

  • Making certain directory partition changes

There is one Domain Naming Master per forest.


Q21. How do you transfer FSMO roles?

Answer:

A transfer is a planned movement of an FSMO role from a healthy Domain Controller to another healthy Domain Controller.

FSMO roles can be transferred using:

  • Active Directory Users and Computers

  • Active Directory Domains and Trusts

  • Active Directory Schema snap-in

  • PowerShell

PowerShell Example

Move-ADDirectoryServerOperationMasterRole -Identity "DC02" -OperationMasterRole PDCEmulator

Transfer All Five Roles

Move-ADDirectoryServerOperationMasterRole -Identity "DC02" -OperationMasterRole 0,1,2,3,4

Best Practice

Verify Active Directory replication and Domain Controller health before and after transferring roles.


Q22. How do you seize FSMO roles?

Answer:

FSMO role seizure is used when the current FSMO role holder has permanently failed and cannot be brought back into service in its previous state.

A seizure is an emergency operation.

PowerShell Example

Move-ADDirectoryServerOperationMasterRole -Identity "DC02" -OperationMasterRole PDCEmulator -Force

Important Warning

After seizing a role, carefully follow Microsoft recovery guidance before returning the failed Domain Controller to the environment. The old server may need to be rebuilt or properly cleaned up, depending on the failure and recovery scenario.

Transfer vs Seize

Transfer = Planned operation with the current role holder available.

Seize = Emergency operation when the current role holder is permanently unavailable.


Q23. What is an RODC?

Answer:

RODC stands for Read-Only Domain Controller.

An RODC contains a read-only copy of the Active Directory database.

It is commonly used in:

  • Branch offices

  • Remote locations

  • Locations with weaker physical security

  • Sites with limited local IT support

Key Features

  • Read-only Active Directory database

  • Password Replication Policy

  • Controlled credential caching

  • Reduced exposure compared with a writable Domain Controller in certain branch-office scenarios

Example

Head Office:

Writable Domain Controllers

Branch Office:

RODC

The branch office can receive local authentication services while reducing some of the risks associated with placing a writable Domain Controller in a less secure location.


Q24. What is the Active Directory Recycle Bin?

Answer:

The Active Directory Recycle Bin allows administrators to restore accidentally deleted Active Directory objects while preserving important attributes.

Objects that may be restored include:

  • Users

  • Groups

  • Computers

  • Organizational Units

PowerShell Examples

Enable the feature:

Enable-ADOptionalFeature

Find deleted objects:

Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects

Restore an object:

Restore-ADObject

Important Point

Plan and verify the requirements before enabling the Active Directory Recycle Bin. Once enabled, it is not designed to be disabled again.


Q25. How do you restore Active Directory?

Answer:

The recovery method depends on the failure scenario.

Common recovery options include:

1. Active Directory Recycle Bin

Used for restoring accidentally deleted AD objects when the feature is enabled and the object is still recoverable.

2. Non-Authoritative Restore

The Domain Controller is restored, and newer Active Directory data is then obtained through replication from healthy Domain Controllers.

3. Authoritative Restore

Specific restored objects are marked authoritative so that the restored version is replicated to other Domain Controllers.

4. System State Recovery

A valid System State backup can be used as part of Domain Controller recovery.

Important Recovery Principle

Active Directory recovery should be based on:

  • The scope of the failure

  • Availability of healthy Domain Controllers

  • Backup validity

  • Replication health

  • Whether one object, one Domain Controller, one domain, or the entire forest is affected


Active Directory Troubleshooting Commands

Every Windows Server Administrator should know these commands:

dcdiag

Checks Domain Controller health.

repadmin /replsummary

Displays an Active Directory replication summary.

repadmin /showrepl

Displays detailed inbound replication status.

netdom query fsmo

Displays FSMO role holders.

nltest /dsgetdc:domain.com

Locates a Domain Controller.

nltest /sc_verify:domain.com

Verifies the secure channel.

w32tm /query /status

Checks Windows Time service status.

gpresult /r

Displays applied Group Policy information.

nslookup

Troubleshoots DNS name resolution.

Get-ADUser

Queries Active Directory users with PowerShell.


Real-World Active Directory Troubleshooting Flow

When a user reports:

“I cannot log in to the domain.”

Check the issue in this order:

  1. Verify physical or network connectivity.

  2. Check the client IP configuration.

  3. Verify that the client uses the correct internal DNS server.

  4. Test connectivity to a Domain Controller.

  5. Test DNS resolution.

  6. Locate a Domain Controller.

  7. Check time synchronization.

  8. Verify the user account status.

  9. Check whether the account is locked or disabled.

  10. Verify the computer’s secure channel.

  11. Check Domain Controller health.

  12. Check Active Directory replication.

  13. Review Event Viewer logs.

Useful commands:

ipconfig /all

ping DC01

nslookup corp.example.com

nltest /dsgetdc:corp.example.com

nltest /sc_verify:corp.example.com

w32tm /query /status

dcdiag

repadmin /replsummary


Quick Revision – Active Directory

Active Directory → Centralized directory service

Domain → Logical administrative and authentication boundary

Forest → Highest-level Active Directory logical structure

Tree → Domains sharing a contiguous namespace

OU → Organization, delegation, and Group Policy scope

Domain Controller → Server running AD DS

Global Catalog → Forest-wide object search and partial attribute repository

LDAP → Directory access protocol

Kerberos → Primary domain authentication protocol

SYSVOL → Group Policy files and scripts

NTDS.dit → Active Directory database

FSMO → Five designated single-master operational roles

RODC → Read-only Domain Controller

AD Recycle Bin → Recovery of deleted Active Directory objects


Conclusion

Active Directory is one of the most important technologies for Windows Server administrators. Interviewers often begin with basic questions such as domains, forests, and Organizational Units, but experienced-level interviews quickly move into FSMO roles, authentication, replication, SYSVOL, Domain Controller health, and disaster recovery.

A strong Windows Server administrator should not only know the definition of each Active Directory component but should also understand how to troubleshoot real production problems using tools such as dcdiag, repadmin, nltest, nslookup, Event Viewer, and PowerShell.

Next Section: DNS – Top 15 Windows Server Interview Questions and Answers

Comments

Popular posts from this blog

How to install VNX Launcher that has embedded java and Firefox

DHCP FAILED APIPA IS USED

Zabbix Server is not working: the information dispaly may not be current