More and more companies are realizing the power of cloud services and networks. With the release of Office 365, Cloud services, and employees working away from the office, collaboration is crucial. Ensuring the networks that connect employees and allow access to the documents and projects within an organization is therefore critical to allow organizations to function efficiently. This means that the demand for good network technicians and system administrators who understand Active Directory is increasing.
If you love ensuring smooth, efficient operation of a network, have the networking skills you need to qualify for a networking position, then here are some Active Directory interview questions that may help you to secure your dream job as a network administrator by preparing you for your interview. If you want to improve your interview skills then Job Interview Skills Training Course will help you master the interview skills you need.
1. Define Active Directory
Technical Interview Questions - Active Directory. For example, to seize the RID master role, type seize rid master. The one exception is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Top 80 VMware Interview Questions & Answers. VMware has changed the tech world from physical to software based virtual world. Due to implementation of virtual environment to consolidate the available hardware, the demands of subject matter experts are increasing day by day in the market. To manage and maintain organization’s business.
Active Directory is a database that stores data pertaining to the users within a network as well as the objects within the network. Active Directory allows the compilation of networks that connect with AD, as well as the management and administration thereof.
2. What is a domain within Active Directory?
A domain represents the group of network resources that includes computers, printers, applications and other resources. Domains share a directory database. The domain is represented by address of the resources within the database. A domain address generally looks like 125.170.456. A user can log into a domain to gain access to the resources that are listed as part that domain.
3. What is the domain controller?
The server that responds to user requests for access to the domain is called the Domain Controller or DC. The Domain Controller allows a user to gain access to the resources within the domain through the use of a single username and password.
4. Explain what domain trees and forests are
Domains that share common schemas and configurations can be linked to form a contiguous namespace. Domains within the trees are linked together by creating special relationships between the domains based on trust.
Forests consist of a number of domain trees that are linked together within AD, based on various implicit trust relationships. Forests are generally created where a server setup includes a number of root DNS addresses. Trees within the forest do not share a contiguous namespace.
6. What is LDAP?
LDAP is an acronym for Lightweight Directory Access Protocol and it refers to the protocol used to access, query and modify the data stored within the AD directories. LDAP is an internet standard protocol that runs over TCP/IP.
7. Explain what intrasite and intersite replication is and how KCC facilitates replication
The replication of DC’s inside a single site is called intrasite replication whilst the replication of DC’s on different sites is called Intersite replication. Intrasite replication occurs frequently while Intersite replication occurs mainly to ensure network bandwidth.
KCC is an acronym for the Knowledge Consistency Checker. The KCC is a process that runs on all of the Domain Controllers. The KCC allows for the replication topology of site replication within sites and between sites. Between sites, replication is done through SMTP or RPC whilst Intersite replication is done using procedure calls over IP.
8. Name a few of the tools available in Active Directory and which tool would you use to troubleshoot any replication issues?
Active Directory tools include:
· Dfsutil.exe
· Netdiag.exe
· Repadmin.exe
· Adsiedit.msc
· Netdom.exe
· Replmon.exe
Replmon.exe is a graphical tool designed to visually represent the AD replication. Due to its graphical nature, replmon.exe allows you to easily spot and deal with replication issues.
9. What tool would you use to edit AD?
Adsiedit.msc is a low level editing tool for Active Directory. Adsiedit.msc is a Microsoft Management Console snap-in with a graphical user interface that allows administrators to accomplish simple tasks like adding, editing and deleting objects with a directory service. The Adsiedit.msc uses Application Programming Interfaces to access the Active Directory. Since Adsiedit.msc is a Microsoft Management Console snap-in, it requires access MMC and a connection to an Active Directory environment to function correctly.
11. How would you manage trust relationships from the command prompt?
Netdom.exe is another program within Active Directory that allows administrators to manage the Active Directory. Netdom.exe is a command line application that allows administrators to manage trust relationship within Active Directory from the command prompt. Netdom.exe allows for batch management of trusts. It allows administrators to join computers to domains. The application also allows administrators to verify trusts and secure Active Directory channels.
10. Where is the AD database held and how would you create a backup of the database?
The database is stored within the windows NTDS directory. You could create a backup of the database by creating a backup of the System State data using the default NTBACKUP tool provided by windows or by Symantec’s Netbackup. The System State Backup will create a backup of the local registry, the Boot files, the COM+, the NTDS.DIT file as well as the SYSVOL folder.
11. What is SYSVOL, and why is it important?
SYSVOL is a folder that exists on all domain controllers. It is the repository for all of the active directory files. It stores all the important elements of the Active Directory group policy. The File Replication Service or FRS allows the replication of the SYSVOL folder among domain controllers. Logon scripts and policies are delivered to each domain user via SYSVOL.
SYSVOL stores all of the security related information of the AD.
12. Briefly explain how Active Directory authentication works
When a user logs into the network, the user provides a username and password. The computer sends this username and password to the KDC which contains the master list of unique long term keys for each user. The KDC creates a session key and a ticket granting ticket. This data is sent to the user’s computer. The user’s computer runs the data through a one-way hashing function that converts the data into the user’s master key, which in turn enables the computer to communicate with the KDC, to access the resources of the domain.
For more training on Active Directory, Administering Windows Server 2012 will teach you how to work with Domain Controllers as well as other AD skills you may need.
- Answer :An active directory is a directory structure used on Micro-soft Windows based servers and computers to store data and information about networks and domains.
- Answer :In Windows 2000, a domain defines both an administrative boundary and a security boundary for a collection of objects that are relevant to a specific group of users on a network. A domain is an administrative boundary because administrative privileges do not extend to other domains. It is a security boundary because each domain has a security policy that extends to all security accounts within the domain. Active Directory stores information about objects in one or more domains.
Domains can be organized into parent-child relationships to form a hierarchy. A parent domain is the domain directly superior in the hierarchy to one or more subordinate, or child, domains. A child domain also can be the parent of one or more child domains. System Administration Interview Questions - Answer :The default protocol used in directory services is LDAP ( Lightweight Directory Access Protocol).
- Answer :Allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed in mixed mode by default. In mixed mode the domain may have Windows NT 4.0 backup domain controllers present. Nested groups are not supported in mixed mode. Windows 10 Tutorial
- Answer :Forest is used to define an assembly of AD domains that share a single schema for the AD. All DC’s in the forest share this schema and is replicated in a hierarchical fashion among them.Windows Administration Interview Questions
- Answer :When all the domain controllers in a given domain are running Windows 2000 Server. This mode allows organizations to take advantage of new Active Directory features such as Universal groups, nested group membership, and inter-domain group membership.
- Answer :The SysVOL folder keeps the server’s copy of the domain’s public files. The contents such as users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.Windows 10 Development Tutorial Emc Symmetrix Interview Questions
- Answer :LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths are used to access AD objects and include the following:
- Distinguished names
- Relative Distinguished names
- Answer :Kerberos is an authentication protocol for network. It is built to offer strong authentication for server/client applications by using secret-key cryptography.Group Policy Interview Questions
- Answer :
- Windows Server, Advanced Server, Datacenter Server
- Minimum Disk space of 200MB for AD and 50MB for log files
- NTFS partition
- TCP/IP Installed and Configured to use DNS
- Administrative privilege for creating a domain in existing network
- Answer :Lingering objects can exists if a domain controller does not replicate for an interval of time that is longer than the tombstone lifetime (TSL).Wintel Administrator Interview Questions
- Answer :In an Active directory forest, the domain controller is a server that contains a writable copy of the Active Directory Database participates in Active directory replication and controls access to network resource. System Administration Interview Questions
- Answer :Tombstone lifetime in an Active Directory determines how long a deleted object is retained in Active Directory. The deleted objects in Active Directory is stored in a special object referred as TOMBSTONE. Usually, windows will use a 60- day tombstone lifetime if time is not set in the forest configuration.
- Answer :Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer may not authenticate users and services, and the domain controller cannot register DNS records.'
- Answer :Schema is an active directory component describes all the attributes and objects that the directory service uses to store data.
- Answer :Scavenging will help you clean up old unused records in DNS.
- Answer :CDC or child DC is a sub domain controller under root domain controller which share name space
- Answer :AD Domain Services auditing, Fine-Grained Password Policies,Read-Only Domain Controllers,Restartable Active Directory Domain ServicesWindows Administration Interview Questions
- Answer :RID master stands for Relative Identifier for assigning unique IDs to the object created in AD.
- Answer :Read only Domain Controller, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed.
- Answer :Components of AD includes
Logical Structure: Trees, Forest, Domains and OU.
Physical Structures: Domain controller and Sites. - Answer :Unlimited. Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.
- Answer :Infrastructure Master is accountable for updating information about the user and group and global catalogue.
- Answer :Admin$, Drive$, IPC$, NETLOGON, print$ and SYSVOL.Emc Symmetrix Interview Questions
- Answer :Yes you can Connect Active Directory to other 3rd -party Directory Services such as dictionaries used by SAP, Domino etc with the help of MIIS (Microsoft Identity Integration Server).
- Answer :Same as Read & Execute, but not inherited by files within a folder. However, newly created subfolders will inherit this permission.
- Answer :For each additional DC that is running DNS, the preferred DNS setting is the parent DNS server (first DC in the domain), and the alternate DNS setting is the actual IP address of network interface.Group Policy Interview Questions
- Answer :%SystemRoot%SYSVOLsysvoldomainnamePoliciesGUID
- Answer :Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support Tools from the Windows 2000 Server CD-ROM to run Netdiag.exe.
- Answer :GPT : Group policy template.
GPC : Group policy container. - Answer :If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53 should be open on the proxy server or firewall.
- Answer :Domain local groups assign access permissions to global domain groups for local domain resources. Global groups provide access to resources in other trusted domains. Universal groups grant access to resources in all trusted domains.
- Answer :This setting designates the Windows 2000 DNS server to be a root hint server and is usually deleted. If you do not delete this setting, you may not be able to perform external name resolution to the root hint servers on the Internet.Wintel Administrator Interview Questions
- Answer :It’s group policy inheritance model, where the policies are applied to Local machines, Sites, Domains and Organizational Units
- Answer :An object's attribute is set concurrently to one value at one master, and another value at a second master.
- Answer :NETDOM is a command-line tool that allows management of Windows domains and trust relationships
- Answer :The Kerberos V5 authentication mechanism issues tickets (A set of identification data for a security principle, issued by a DC for purposes of user authentication. Two forms of tickets in Windows 2000 are ticket-granting tickets (TGTs) and service tickets) for accessing network services. These tickets contain encrypted data, including an encrypted password, which confirms the user's identity to the requested service.
- Answer :ADSI Edit is an LDAP editor for managing objects in Active Directory. This Active Directory tool lets you view objects and attributes that are not exposed in the Active Directory Management Console.
- Answer :Kerberos V5 is the primary security protocol for authentication within a domain. The Kerberos V5 protocol verifies both the identity of the user and network services. This dual verification is known as mutual authentication.
- Answer :Temporary loss of the schema operations master will be visible only if we are trying to modify the schema or install an application that modifies the schema during installation. A DC whose schema master role has been seized must never be brought back online.
- Answer :Replmon is the first tool you should use when troubleshooting Active Directory replication issues
- Answer :Netdom query fsmo OR Replmon.exe
- Answer :When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.
- Answer :Active Directory Sites and Services allow you to specify site information. Active Directory uses this information to determine how best to use available network resources.
- Answer :This is the checkpoint file used to track the data not yet written to database file. This indicates the starting point from which data is to be recovered from the log file, in case of failure.
- Answer :This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to EDBnnnn.log. Where nnnn is the increasing number starting from 1.
- Answer :repadmin.exe /options * and use IS_GC for current domain options.
nltest /dsgetdc:corp /GC - Answer :ntdsutil - type roles - connections - connect servername - q - type seize role - at the fsmo maintenance prompt - type seize rid master
- Answer :ntdsutil - type roles - connections - connect servername - q - type transfer role - at the fsmo maintenance prompt - type trasfer rid master
- Answer :The KCC generates and maintains the replication topology for replication within sites and between sites. KCC runs every 15 minutes.
- Answer :Definitional details about objects and attributes that one CAN store in the AD. Replicates to all DCs. Static in nature.
- Answer :Online Defragmentation method that runs as part of the garbage collection process. The only advantage to this method is that the server does not need to be taken offline for it to run. However, this method does not shrink the Active Directory database file (Ntds.dit).
- Answer :Garbage Collection is a process that is designed to free space within the Active Directory database. This process runs independently on every DC with a default lifetime interval of 12 hours.
- Answer :This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction log files enough room to shutdown if the other spaces are being used.
- Answer :Object information for a domain. Replicates to all DCs within a domain. The object portion becomes part of GC. The attribute values only replicates within the domain.
- Answer :LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths are used to access AD objects and include the following:
- Distinguished names
- Relative Distinguished names
- Answer :Verify SRV Resource Records: After AD is installed, the DC will register SRV records in DNS when it restarts. We can check this using DNS MMC or nslookup command.
- Answer :This is the AD database and stores all AD objects. Default location is SystemRoot%ntdsNTDS.DIT.
Active Directory's database engine is the Extensible Storage Engine which is based on the Jet database and can grow up to 16 TB. - Answer :The types of objects that can be created in the Active Directory, relationships between them, and the attributes on each type of object. This table is fairly static and much smaller than the data table.
- Answer :Enterprise Admin Group :
Members of this group have complete control of all domains in the forest By default, this group belongs to the administrators group on all domain controllers in the forest As such this group has full control of the forest, add users with cautionDomain Admin Group :
Members of this group have complete control of the domain By default, this group is a member of the administrators group on all domain controllers, workstations and member servers at the time they are linked to the domain As such the group has full control in the domain, add users with caution