Active Directory Interview Questions – Part 1

By | October 30, 2019

1. What is Active Directory?
Active Directory is a Meta Data. Active Directory is a data base which store a data like your user information, computer information and other network object info. It has capabilities to manage and administer the complete Network which connect with AD.

What is Azure Active Directory (Azure AD)?
Azure Active Directory (Azure AD) is Microsoft’s cloud based identity and access management service, which helps the domain users to sign in and access resources in:

  • External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
  • Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.
  • You can use the various Microsoft Cloud for Enterprise Architects Series posters to better understand the core identity services in Azure, Azure AD, and Office 365.

2. What is Active Directory Domain Services?
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to AD DS, but the information is also applicable to Active Directory.

3. What is domain in AD?
A domain is a set of network resources (applications, printers, and so forth) for a group of users. The user need only to log in to the domain to gain access to the resources, which may be located on several different servers in the network. A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database.

4. What is domain controller?
A Domain controller (DC) is a server that responds to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

5. What is Replication in AD?
Replication is the process by which the changes that are made on one domain controller are synchronized with all other domain controllers in the domain or forest that store copies of the same information.

6. What is LDAP?
Lightweight Directory Access Protocol (LDAP) is a client/server protocol used to access and manage directory information. It reads and edits directories over IP networks and runs directly over TCP/IP using simple string formats for data transfer.

7. Where is the AD database held? What other folders are related to AD?
By default AD data base is stored in c:\windows\ntds\NTDS.DIT. SYSVOL & NETLOGON are other folders related to AD DS.

8. What is KCC?
The Knowledge Consistency Checker (KCC) is a built-in process that runs on all domain controllers and creates the replication topology for the forest. KCC (knowledge consistency checker) – It generates the replication topology by specifying what domain controllers will replicate to which other domain controllers in the site. The KCC maintains a list of connections, called a replication topology, to other domain controllers in the site. The KCC ensures that changes to any object are replicated to all site domain controllers and updates go through no more than three connections.

9. What is the SYSVOL folder?
System Volume (SYSVOL) is a shared directory that stores the server copy of the domain’s public files that must be shared for common access and replication throughout a domain. The term SYSVOL refers to a set of files and folders that reside on the local hard disk of each domain controller in a domain and that are replicated by the File Replication service (FRS).

Network clients access the contents of the SYSVOL tree by using the NETLOGON and SYSVOL shared folders. Sysvol uses junction points-a physical location on a hard disk that points to data that is located elsewhere on your disk or other storage device-to manage a single instance store.

10. What is the Netlogon folder in AD DS and What is it used for?
The NETLOGON share is pointing to %SystemRoot%\sysvol\sysvol\{DOMAIN}\scripts folder on DC, and it’s main purpose is for storing logon scripts.

By default %SystemRoot%\sysvol\sysvol\{DOMAIN}\scripts is empty. When we are deployed any script via GPO that is the default location for storing the script.

By default sysvol includes 2 folders, the scripts folder is shared with the name NETLOGON

1. Policies – (Default location – %SystemRoot%\Sysvol\Sysvol\domain_name\Policies)
2. Scripts – (Default lcation – %SystemRoot%\Sysvol\Sysvol\domain_name\Scripts)

11. What are the difference between Enterprise Admins and Domain Admins groups in AD?
Enterprise Admins: Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group. Because this group has full control of the forest, add users with caution.

Domain Admins: Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.

12. What is LSDOU? It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units.

13. What’s the number of permitted unsuccessful logons on Administrator account? Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.

14. Can GC Server and Infrastructure place in single server If not explain why?
As a general rule, the infrastructure master should be located on a nonglobal catalog domain controller that has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold.

But there are exceptions to this “general rule”. Two exceptions to the “do not place the infrastructure master on a global catalog server” rule are:
Single domain forest:
In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain, regardless of whether that domain controller hosts the global catalog or not.

Multidomain forest where every domain controller in a domain holds the global catalog:
If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain.

15. What Intrasite and Intersite Replication?
Intra-site replication refers to replication between domain controllers in the same site whereas Inter-site replication refers to replication between DCs belonging to different sites.

16. What is Garbage Collection?
Garbage collection is a housekeeping process that is designed to free space within the Active Directory database. In Windows 2000 and in the original release version of Windows Server 2003, this process runs on every domain controller in the enterprise with a default lifetime interval of 12 hours. You can change this interval by modifying the garbageCollPeriod attribute in the enterprise-wide DS configuration object (NTDS).

17. What is new AD features in Windows server 2016?
The following are new AD DS 2016 features:

– Privileged Access Management
– Time-based group memberships
– Microsoft Passport
– Active Directory Federation Services improvements
– Time sync improvements

Leave a Reply

Your email address will not be published. Required fields are marked *