Active Directory Interview Questions – Part 9

By | June 7, 2020

86. What is group nesting?

Adding one group as a member of another group is called ‘group nesting’. This will help for easy administration and reduced replication traffic.

87. What is the feature of Domain Local Group?

Domain local groups are mainly used for granting access to network resources. A Domain local group can contain accounts from any domain, global groups from any domain and universal groups from any domain. For example, if you want to grant permission to a printer located at Domain A, to 10 users from Domain B, then create a Global group in Domain B and add all 10 users into that Global group. Then, create a Domain local group at Domain A, and add Global group of Domain B to Domain local group of Domain A, then, add Domain local group of Domain A to the printer(of Domain A) security ACL.

88. How will you take Active Directory backup?

Active Directory is backed up along with System State data. System state data includes Local registry, COM+, Boot files, NTDS.DIT and SYSVOL folder. System state can be backed up either using Microsoft’s default NTBACKUP tool or third party tools such as Symantech NetBackup, IBM Tivoli Storage Manager etc.

89. What is Lost and Found Container?

In multimaster replication method, replication conflicts can happen. Objects with replication conflicts will be stored in a container called ‘Lost and Found’ container. This container also used to store orphaned user accounts and other objects.

90. Do we use clustering in Active Directory? Why?

No one installs Active Directory in a cluster. There is no need of clustering a domain controller. Because Active Directory provides total redundancy with two or more servers.

91. What is Active Directory Recycle Bin?

Active Directory Recycle bin is a feature of Windows Server 2008 AD. It helps to restore accidentally deleted Active Directory objects without using a backed up AD database, rebooting domain controller or restarting any services.

92. What is RODC? Why do we configure RODC?

Read only domain controller (RODC) is a feature of Windows Server 2008 Operating System. RODC is a read only copy of Active Directory database and it can be deployed in a remote branch office where physical security cannot be guaranteed. RODC provides more improved security and faster log on time for the branch office.

93. How do you check currently forest and domain functional levels? Say both GUI and Command line.

To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain name and take properties. Both domain and forest functional levels will be listed there. TO find out forest and domain functional levels, you can use DSQUERY command.

94. Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory?

All versions of Windows Server Active Directory use Kerberos 5.

95. Name few port numbers related to Active Directory?

Kerberos 88, LDAP 389, DNS 53, SMB 445

96. What is an FQDN?

FQDN can be expanded as Fully Qualified Domain Name.It is a hierarchy of a domain name system which points to a device in the domain at its left most end. For example in system.

97. Have you heard of ADAC?

ADAC- Active Directory Administrative Center is a new GUI tool came with Windows Server 2008 R2, which provides enhanced data management experience to the admin. ADAC helps administrators to perform common Active Directory object management task across multiple domains with the same ADAC instance.

98. How many objects can be created in Active Directory? (both 2003 and 2008)

As per Microsoft, a single AD domain controller can create around 2.15 billion objects during its lifetime.

99. Explain the process between a user providing his Domain credential to his workstation and the desktop being loaded? Or how the AD authentication works?

When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm. The KDC looks up the user’s master key (KA), which is based on the user’s password. The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows.

The client computer receives the information from the KDC and runs the user’s password through a one-way hashing function, which converts the password into the user’s KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.

100. What Is Urgent Replication And When Is It Used?

You probably know how Active Directory core replication works. When there’s an object changed, the source DC, the one that serviced the change request, notifies it’s direct replication neighbours that there was a change to some object. The neighbors then start the replication process by requesting the changes made since the last replication.

Important to know is, that there is a “notification delay” between the actual change to the objects in the directory and the notification sent to the replication partners. Server 2003 DCs wait 15 seconds before they fire out the change notification. This delay is there to only send one change notification once the change transaction to the object is done. If there are multiple changes made to an object, let’s say the phone number, the home town and the employeeID of a user and the changes were made in 1 second delay each, we only send one change notification for those three changes.

If there was no notification delay and we waited a second between the changes to a user’s attributes, the source DC were sending three change notifications to its partners. Too much traffic there! Note that the default change notificaction delay in Windows 2000 was 5 minutes (the numbers may differ depending on installation type (upgrade from 2000 to 2003, forest functional level, …).

Given that fact, one can think of several scenarios which may lead to “problem” since the change to the directory is not replicated right away: user Password changes, user lockout, Password Policy changed,…

For this reason, there’s urgent replication. Urgent replication works in the same way “normal” replication does, but has no notification delay of a few seconds/minutes. That makes “urgent” changes that need to be distributed thrughout the sites and DCs to get more quickly to all edges. Urgent replication takes place in the following cases:

  • The Password Policy or account lockout policy of a domain has changed
  • The LSA secret has changed (that’s used for the “secure channels” between machines and DCs and trusts)
  • a user or computer is locked out due to a failed logon attempt (in this case, the urgent replication is used to notify the DC with the PDC emulator role first and then to all others)
  • the RID master has changed

So — if one of the mentioned events take place, urgent replication takes place and there’s no notification delay prior to change notification of neighbour DCs.

101. Which FSMO role directly impacting the consistency of Group Policy?

PDC Emulator.

102. I want to promote a new additional Domain Controller in an existing domain. Which are the groups I should be a member of?

You should be a member of Enterprise Admins group or the Domain Admins group. Also you should be member of local Administrators group of the member server which you are going to promote as additional Domain Controller.

103. Tell me one easiest way to check all the 5 FSMO roles?

Use netdom query /domain:YourDomain FSMO command. It will list all the FSMO role handling domain controllers.

104. What is Realm trust?

Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and an Active Directory domain.

Leave a Reply

Your email address will not be published. Required fields are marked *