Windows Active Directory Interview Questions

>What is Active Directory ?

Active Directory is a Meta Data. Active Directory is a data base which store a
data base like your user information, computer information and also other
network object info. It has capabilities to manage and administor the
complite Network which connect with AD.

>What is domain ?
Windows NT and Windows 2000, a domain is a set of network resources (applications, printers,
and so forth) for a group of users. The user need only to log in to the domain to gain access to the
resources, which may be located on a number of different servers in the network. The 'domain' is
simply your computer address not to confused with an URL. A domain address might look
something like 211.170.469.

>What is domain controller ?

A Domain controller (DC) is a server that responds to security authentication requests (logging
in, checking permissions, etc.) within the Windows Server domain. A domain is a concept
introduced in Windows NT whereby a user may be granted access to a number of computer
resources with the use of a single username and password combination.

>What is LDAP ?
Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol,
making Active Directory widely accessible to management and query applications. Active
Directory supports LDAPv3 and LDAPv2.

>What is KCC ?
KCC ( knowledge consistency checker ) is used to generate replication topology for inter site
replication and for intrasite replication.with in a site replication traffic is done via remote
procedure calls over ip, while between site it is done through either RPC or SMTP.

>Where is the AD database held? What other folders are related to AD?
The AD data base is store in c:\windows\ntds\NTDS.DIT.

>What is the SYSVOL folder?

The sysVOL folder stores the server's copy of the domain's public files. The contents such as
group policy, users etc of the sysvol folder are replicated to all domain controllers in the domain.

>What are the Windows Server 2003 keyboard shortcuts ? 

Winkey opens or closes the Start menu. Winkey + BREAK displays the System Properties dialog
box. Winkey + TAB moves the focus to the next application in the taskbar. Winkey + SHIFT +
TAB moves the focus to the previous application in the taskbar. Winkey + B moves the focus to
the notification area. Winkey + D shows the desktop. Winkey + E opens Windows Explorer
showing My Computer. Winkey + F opens the Search panel. Winkey + CTRL + F opens the
Search panel with Search for Computers module selected. Winkey + F1 opens Help. Winkey +
M minimizes all. Winkey + SHIFT+ M undoes minimization. Winkey + R opens Run dialog.
Winkey + U opens the Utility Manager. Winkey + L locks the computer.
>I am trying to create a new universal user group. Why can’t I ?
Universal groups are allowed only in native-mode Windows Server 2003 environments. Native
mode requires that all domain controllers be promoted to Windows Server 2003 Active
Directory.

>What is LSDOU ? It’s group policy inheritance model, where the policies are applied toLocal
machines, Sites, Domains and Organizational Units.

> Which is service in your windows is responsible for replication of Domain controller to
another domain controller.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.

> What Intrasite and Intersite Replication ?

Intrasite is the replication with in the same site & intersite the replication between sites.

> What is lost & found folder in ADS ?

It’s the folder where you can find the objects missed due to conflict.
Ex: you created a user in OU which is deleted in other DC & when replication happed ADS
didn’t find the OU then it will put that in Lost & Found Folder.

> What is Garbage collection ?

Garbage collection is the process of the online defragmentation of active directory. It happens
every 12 Hours.

> What System State data contains ?

Contains Startup files,
Registry
Com + Registration Database
Memory Page file
System files
AD information
Cluster Service information
SYSVOL Folder

>What is difference between Server 2003 vs 2008?

1. Virtualization. (Windows Server 2008 introduces Hyper-V (V for Virtualization) but only on
64bit versions. More and more companies are seeing this as a way of reducing hardware costs by
running several 'virtual' servers on one physical machine.)
2. Server Core (provides the minimum installation required to carry out a specific server role,
such as for a DHCP, DNS or print server)
3. Better security.
4. Role-based installation.
5. Read Only Domain Controllers (RODC).
6. Enhanced terminal services.
7. Network Access Protection - Microsoft's system for ensuring that clients connecting to Server
2008 are patched, running a firewall and in compliance with corporate security policies.
8. PowerShell - Microsoft's command line shell and scripting language has proved popular with
some server administrators.
9. IIS 7 .
10. Bitlocker - System drive encryption can be a sensible security measure for servers located in
remote branch offices. >br> The main difference between 2003 and 2008 is Virtualization,
management. 2008 has more in-build components and updated third party drivers.
11. Windows Aero.

>What are the requirements for installing AD on a new server?

1 The Domain structure.
2 The Domain Name .
3 storage location of the database and log file.
4 Location of the shared system volume folder.
5 DNS config Methode.
6 DNS configuration.
>What is REPLMON ?
The Microsoft definition of the Replmon tool is as follows; This GUI tool enables administrators
to view the low-level status of Active Directory replication, force synchronization between
domain controllers, view the topology in a graphical format, and monitor the status and
performance of domain controller replication.

>What is ADSIEDIT ?
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-
level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network
administrators can use it for common administrative tasks such as adding, deleting, and moving
objects with a directory service. The attributes for each object can be edited or deleted by using
this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active
Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.

 
>What is NETDOM ?
NETDOM is a command-line tool that allows management of Windows domains and trust
relationships. It is used for batch management of trusts, joining computers to domains, verifying
trusts, and secure channels.

>What is REPADMIN?
This command-line tool assists administrators in diagnosing replication problems between
Windows domain controllers.Administrators can use Repadmin to view the replication topology
(sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain
controller. In addition, Repadmin can be used to manually create the replication topology
(although in normal practice this should not be necessary), to force replication events between
domain controllers, and to view both the replication metadata and up-to-dateness vectors.
>How to take backup of AD ?
For taking backup of active directory you have to do this : first go START -> PROGRAM
->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and
take systemstate backup when the backup screen is flash then take the backup of SYSTEM
STATE it will take the backup of all the necessary information about the syatem including AD
backup , DNS ETC.

>What are the DS* commands ?

The following DS commands: the DS family built in utility .
DSmod - modify Active Directory attributes.
DSrm - to delete Active Directory objects.
DSmove - to relocate objects
DSadd - create new accounts
DSquery - to find objects that match your query attributes.
DSget - list the properties of an object

>What are the requirements for installing AD on a new server?

An NTFS partition with enough free space.
An Administrator's username and password.
The correct operating system version.
A NIC Properly configured TCP/IP (IP address, subnet mask and - optional -
default gateway).
A network connection (to a hub or to another computer via a crossover
cable) .
An operational DNS server (which can be installed on the DC itself) .
A Domain name that you want to use .
The Windows 2000 or Windows Server 2003 CD media (or at least the i386
folder) .

>Difference between LDIFDE and CSVDE?

CSVDE is a command that can be used to import and export objects to and
from the AD into a CSV-formatted file. A CSV (Comma Separated Value) file
is a file easily readable in Excel. I will not go to length into this powerful
command, but I will show you some basic samples of how to import a large
number of users into your AD. Of course, as with the DSADD command,
CSVDE can do more than just import users. Consult your help file for more
info.

LDIFDE is a command that can be used to import and export objects to and
from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange
Format) file is a file easily readable in any text editor, however it is not
readable in programs like Excel. The major difference between CSVDE and
LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit
and delete existing AD objects (not just users), while CSVDE can only import
and export objects.
>What is tombstone lifetime attribute ?
The number of days before a deleted object is removed from the directory
services. This assists in removing objects from replicated servers and
preventing restores from reintroducing a deleted object. This value is in the
Directory Service object in the configuration NIC.

>What are application partitions? When do I use them ?

AN application diretcory partition is a directory partition that is replicated
only to specific domain controller.Only domain controller running windows
Server 2003 can host a replica of application directory partition.
Using an application directory partition provides redundany,availability or
fault tolerance by replicating data to specific domain controller pr any set of
domain controllers anywhere in the forest.

>How do you create a new application partition ?

Use the DnsCmd command to create an application directory partition.
To do this, use the following syntax:
DnsCmd ServerName /CreateDirectoryPartition FQDN of partition

>How do you view all the GCs in the forest?

C:\>repadmin /showreps domain_controller where domain_controller is the
DC you want to query to determine whether it?s a GC.
The output will include the text DSA Options: IS_GC if the DC is a GC.

>Can you connect Active Directory to other 3rd-party Directory

Services? Name a few options.
Yes, you can use dirXML or LDAP to connect to other directories.
In Novell you can use E-directory.

>What is IPSec Policy

IPSec provides secure gateway-to-gateway connections across outsourced
private wide area network (WAN) or Internet-based connections using
L2TP/IPSec tunnels or pure IPSec tunnel mode. IPSec Policy can be deployed
via Group policy to the Windows Domain controllers 7 Servers.

>What are the different types of Terminal Services ?

User Mode & Application Mode.

>What is RsOP
RsOP is the resultant set of policy applied on the object (Group Policy).

>What is the System Startup process ?

Windows 2K boot process on a Intel architecture.
1. Power-On Self Tests (POST) are run.
2. The boot device is found, the Master Boot Record (MBR) is loaded into
memory, and its program is run.
3. The active partition is located, and the boot sector is loaded.
4. The Windows 2000 loader (NTLDR) is then loaded.
The boot sequence executes the following steps:
1. The Windows 2000 loader switches the processor to the 32-bit flat
memory model.
2. The Windows 2000 loader starts a mini-file system.
3. The Windows 2000 loader reads the BOOT.INI file and displays the
operating system selections (boot loader menu).
4. The Windows 2000 loader loads the operating system selected by the
user. If Windows 2000 is selected, NTLDR runs NTDETECT.COM. For other
operating systems, NTLDR loads BOOTSECT.DOS and gives it control.
5. NTDETECT.COM scans the hardware installed in the computer, and reports
the list to NTLDR for inclusion in the Registry under the
HKEY_LOCAL_MACHINE_HARDWARE hive.
6. NTLDR then loads the NTOSKRNL.EXE, and gives it the hardware
information collected by NTDETECT.COM. Windows NT enters the Windows
load phases.

>How do you view replication properties for AD partitions and DCs?

By using replication monitor
go to start > run > type repadmin
go to start > run > type replmon

>What's the difference between transferring a FSMO role and seizing ?

Seizing an FSMO can be a destructive process and should only be attempted if the existing
server with the FSMO is no longer available.
If you perform a seizure of the FSMO roles from a DC, you need to ensure two things:
the current holder is actually dead and offline, and that the old DC will NEVER return to the
network. If you do an FSMO role Seize and then bring the previous holder back online, you'll
have a problem.
An FSMO role TRANSFER is the graceful movement of the roles from a live, working DC to
another live DC During the process, the current DC holding the role(s) is updated, so it becomes
aware it is no longer the role holder

>I want to look at the RID allocation table for a DC. What do I do?
dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC)

>What is BridgeHead Server in AD ?A bridgehead server is a domain controller in each site,

which is used as a contact point to receive and replicate data between sites. For intersite
replication, KCC designates one of the domain controllers as a bridgehead server. In case the
server is down, KCC designates another one from the domain controller. When a bridgehead
server receives replication updates from another site, it replicates the data to the other domain
controllers within its site.

>What is the default size of ntds.dit ?

10 MB in Server 2000 and 12 MB in Server 2003 .

>Where is the AD database held and What are other folders related to AD ?
AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These
are the main files controlling the AD structure.
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change is made to the Win2K database, triggering a write operation, Win2K records the
transaction in the log file (edb.log). Once written to the log file, the change is then written to the
AD database. System performance determines how fast the system writes the data to the AD
database from the log file. Any time the system is shut down, all transactions are saved to the
database.
During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size
of each is 10MB. These files are used to ensure that changes can be written to disk should the
system run out of free disk space. The checkpoint file (edb.chk) records transactions committed
to the AD database (ntds.dit). During shutdown, a "shutdown" statement is written to the edb.chk
file.
Then, during a reboot, AD determines that all transactions in the edb.log file have been
committed to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot or the
shutdown statement isn't present, AD will use the edb.log file to update the AD database. The
last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is
located in\NTDS, along with the other files we've discussed

>What FSMO placement considerations do you know of ?

Windows 2000/2003 Active Directory domains utilize a Single Operation Master method called
FSMO (Flexible Single Master Operation), as described in Understanding FSMO Roles in
Active Directory.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same spot
(or actually, on the same DC) as has been configured by the Active Directory installation
process.
However, there are scenarios where an administrator would want to move one or more of the
FSMO roles from the default holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the Windows 2000 version when
dealing with FSMO placement.
In this article I will only deal with Windows Server 2003 Active Directory, but you should bear
in mind that most considerations are also true when planning Windows 2000 AD FSMO roles

>What is sites ? What are they used for ?

One or more well-connected (highly reliable and fast) TCP/IP subnets.
A site allows administrators to configure Active Directory access and
replication topology to take advantage of the physical network.
A Site object in Active Directory represents a physical geographic location that hosts networks.
Sites contain objects called Subnets.
Sites can be used to Assign Group Policy Objects, facilitate the discovery of resources, manage
active directory replication, and manage network link traffic.
Sites can be linked to other Sites. Site-linked objects may be assigned a cost value that represents
the speed, reliability, availability, or other real property of a physical resource. Site Links may
also be assigned a schedule.

>Trying to look at the Schema, how can I do that ?

register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc --> add snapin --> add Active directory schema
name it as schema.msc
Open administrative tool --> schema.msc

>What is the port no of Kerbrose ?

88

>What is the port no of Global catalog ?

3268

>What is the port no of LDAP ?

389

>How can you forcibly remove AD from a server, and what do you do
later? ? Can I get user passwords from the AD database?
Dcpromo /forceremoval , an administrator can forcibly remove Active
Directory and roll back the system without having to contact or replicate any
locally held changes to another DC in the forest. Reboot the server then
After you use the dcpromo /forceremoval command, all the remaining
metadata for the demoted DC is not deleted on the surviving domain
controllers, and therefore you must manually remove it by using the
NTDSUTIL command.
In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe
utility to manually remove the NTDS Settings object. You will need the following tool:
Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers

>What are the FSMO roles? Who has them by default? What happens when each one
fails?
Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master

> What are the physical components of Active Directory ?

Domain controllers and Sites. Domain controllers are physical computers which is running
Windows Server operating system and Active Directory data base. Sites are a network segment
based on geographical location and which contains multiple domain controllers in each site.

> What are the logical components of Active Directory ?

Domains, Organizational Units, trees and forests are logical components of Active Directory.

> What are the Active Directory Partitions ?

Active Directory database is divided into different partitions such as Schema partition, Domain
partition, and Configuration partition. Apart from these partitions, we can create Application
partition based on the requirement.

> What is group nesting ?

Adding one group as a member of another group is called 'group nesting'. This will help for easy
administration and reduced replication traffic.

> What is Active Directory Recycle Bin ?

Active Directory Recycle bin is  a feature of Windows Server 2008 AD. It helps to restore
accidentally deleted Active Directory objects without using a backed up AD database, rebooting
domain controller or restarting any services.

> What is RODC ? Why do we configure RODC ?

Read only domain controller (RODC) is a feature of Windows Server 2008 Operating System.
RODC is a read only copy of Active Directory database and it can be deployed in a remote
branch office where physical security cannot be guaranteed. RODC provides more improved
security and faster log on time for the branch office.

> How do you check currently forest and domain functional levels? Say both GUI and
Command line.
To find out forest and domain functional levels in GUI mode, open ADUC, right click on the
domain name and take properties. Both domain and forest functional levels will be listed there.
TO find out forest and domain functional levels, you can use DSQUERY command.

> Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory ?
All versions of Windows Server Active Directory use Kerberos 5.

> Name few port numbers related to Active Directory ?

Kerberos 88, LDAP 389, DNS 53, SMB 445

> explain the process between a user providing his Domain credential to his workstation
and the desktop being loaded? Or how the AD authentication works ?
When a user enters a user name and password, the computer sends the user name to the KDC.
The KDC contains a master database of unique long term keys for every principal in its realm.
The KDC looks up the user's master key (KA), which is based on the user's password. The KDC
then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket
(TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The
KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows. The
client computer receives the information from the KDC and runs the user's password through a
one-way hashing function, which converts the password into the user's KA. The client computer
now has a session key and a TGT so that it can securely communicate with the KDC. The client
is now authenticated to the domain and is ready to access other resources in the domain by using
the Kerberos protocol.

> Which FSMO role directly impacting the consistency of Group Policy ?
PDC Emulator.

> I want to promote a new additional Domain Controller in an existing domain. Which are
the groups I should be a member of ?
You should be a member of Enterprise Admins group or the Domain Admins group. Also you
should be member of local Administrators group of the member server which you are going to
promote as additional Domain Controller.
> Tell me one easiest way to check all the 5 FSMO roles ?
Use netdom query /domain:YourDomain FSMO command. It will list all the FSMO role
handling domain controllers.