Active Directory Interview Questions – Part 5

By | October 27, 2019

43. Explain about Trust in AD?
To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside a forest are automatically created when domains are created.

Communication between domains occurs through trusts. Trusts are authentication pipelines that must be present in order for users in one domain to access resources in another domain. Two default trusts are created when using the Active Directory Installation Wizard. There are four other types of trusts that can be created using the New Trust Wizard or the Netdom command-line tool.

44. Explain types of trust in AD?
Default trusts:
By default, two-way, transitive trusts are automatically created when a new domain is added to a domain
tree or forest root domain using the Active Directory Installation Wizard.
1. Parent and child
2. Tree-root

Other trusts:
Four other types of trusts can be created using the New Trust Wizard or the Netdom command-line tool:
1. External
2. Realm
3. Forest
4. Shortcut

45. What is metadata clean up in AD DS?
Metadata clean up is a required procedure after a forced removal of Active Directory Domain Services (AD DS). You perform metadata clean up on a domain controller in the domain of the domain controller that you forcibly removed.

46. What is tombstone lifetime attribute?
The number of days before a deleted object is removed from the directory services. This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object.

Its default value depends on the server OS version of the first DC in the forest and is either 60 or 180 days. For domain controllers upgraded to Windows Server 2008 that use a tombstone lifetime of 60 days, Microsoft recommends manually setting the value to 180 days.

47. What are application partitions? When do I use them?
AN application diretcory partition is a directory partition that is replicated only to specific domain controller.Only domain controller running windows Server 2003 can host a replica of application directory partition. Using an application directory partition provides redundany,availability or fault tolerance by replicating data to specific domain controller pr any set of domain controllers anywhere in the forest.

48. How do you view all the GCs in the forest?
DSQUERY server can be used to locate global catalogs.

To search the entire forest
dsquery server -forest -isgc

To locate global catalogs in your current (logon) domain
dsquery server –isgc

To locate global catalogs in a specific domain
dsquery server -domain -isgc

Here, you search for global catalog servers in the domain.

You can also search for global catalog servers by site, but to do this, you must know the full site name, and cannot use wildcards. For example, if you wanted to find all the global catalog servers for Default-First-Site-Name, you would have to type

dsquery server –site Default-First-Site-Name

The resulting output is a list of DNs for global catalogs, such as


49. What is RSOP?
One challenge of Group Policy administration is to understand the cumulative effect of a number of Group Policy objects (GPOs) on any given computer or user, or how changes to Group Policy, such as reordering the precedence of GPOs or moving a computer or user to a different organizational unit (OU) in the directory, might affect the network.

The Resultant Set of Policy (RSoP) snap-in offers administrators one solution. Administrators use the RSoP snap-in to see how multiple Group Policy objects affect various combinations of users and computers, or to predict the effect of Group Policy settings on the network.

50. Difference between KCC and ISTG?
KCC (Knowledge consistency checker) is responsible for generating site replication topologies between domain controllers. KCC runs in each DC of a domain and creates a connection object for each DC in AD. It is responsible for all intra-site replication.

In case of an inter-site scenario, there will be a bridge-head server to manage site-site replication. Here, the connection objects for the bridge-head servers are created in a separate way. ISTG (Inter-Site Topology Generator) is responsible for creating connection objects in bridge-head servers. ISTG is nothing but a KCC server (DC), which is responsible for reviewing the inter-site topology and creating inbound replication connection objects as necessary for bridgehead servers in the site in which it resides. The domain controller holding this role may not necessarily also be a bridgehead server.

Leave a Reply

Your email address will not be published. Required fields are marked *