Windows Active Directory Interview Questions
Windows Active Directory Interview Questions
>What is domain ?
Windows NT and Windows 2000, a domain is a set of network resources (applications, printers,
and so forth) for a group of users. The user need only to log in to the domain to gain access to the
resources, which may be located on a number of different servers in the network. The 'domain' is
simply your computer address not to confused with an URL. A domain address might look
something like 211.170.469.
>What is LDAP ?
Lightweight Directory Access Protocol LDAP is the industry standard directory access protocol,
making Active Directory widely accessible to management and query applications. Active
Directory supports LDAPv3 and LDAPv2.
>What is KCC ?
KCC ( knowledge consistency checker ) is used to generate replication topology for inter site
replication and for intrasite replication.with in a site replication traffic is done via remote
procedure calls over ip, while between site it is done through either RPC or SMTP.
>Where is the AD database held? What other folders are related to AD?
The AD data base is store in c:\windows\ntds\NTDS.DIT.
>What is LSDOU ? It’s group policy inheritance model, where the policies are applied toLocal
machines, Sites, Domains and Organizational Units.
> Which is service in your windows is responsible for replication of Domain controller to
another domain controller.
KCC generates the replication topology.
Use SMTP / RPC to replicate changes.
>What is ADSIEDIT ?
ADSIEDIT :ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts as a low-
level editor for Active Directory. It is a Graphical User Interface (GUI) tool. Network
administrators can use it for common administrative tasks such as adding, deleting, and moving
objects with a directory service. The attributes for each object can be edited or deleted by using
this tool. ADSIEdit uses the ADSI application programming interfaces (APIs) to access Active
Directory. The following are the required files for using this tool: ADSIEDIT.DLL ADSIEDIT.
>What is NETDOM ?
NETDOM is a command-line tool that allows management of Windows domains and trust
relationships. It is used for batch management of trusts, joining computers to domains, verifying
trusts, and secure channels.
>What is REPADMIN?
This command-line tool assists administrators in diagnosing replication problems between
Windows domain controllers.Administrators can use Repadmin to view the replication topology
(sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain
controller. In addition, Repadmin can be used to manually create the replication topology
(although in normal practice this should not be necessary), to force replication events between
domain controllers, and to view both the replication metadata and up-to-dateness vectors.
>How to take backup of AD ?
For taking backup of active directory you have to do this : first go START -> PROGRAM
->ACCESORIES -> SYSTEM TOOLS -> BACKUP OR Open run window and ntbackup and
take systemstate backup when the backup screen is flash then take the backup of SYSTEM
STATE it will take the backup of all the necessary information about the syatem including AD
backup , DNS ETC.
LDIFDE is a command that can be used to import and export objects to and
from the AD into a LDIF-formatted file. A LDIF (LDAP Data Interchange
Format) file is a file easily readable in any text editor, however it is not
readable in programs like Excel. The major difference between CSVDE and
LDIFDE (besides the file format) is the fact that LDIFDE can be used to edit
and delete existing AD objects (not just users), while CSVDE can only import
and export objects.
>What is tombstone lifetime attribute ?
The number of days before a deleted object is removed from the directory
services. This assists in removing objects from replicated servers and
preventing restores from reintroducing a deleted object. This value is in the
Directory Service object in the configuration NIC.
>What is RsOP
RsOP is the resultant set of policy applied on the object (Group Policy).
>I want to look at the RID allocation table for a DC. What do I do?
dcdiag /test:ridmanager /s:servername /v (servername is the name of our DC)
>Where is the AD database held and What are other folders related to AD ?
AD Database is saved in %systemroot%/ntds. You can see other files also in this folder. These
are the main files controlling the AD structure.
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change is made to the Win2K database, triggering a write operation, Win2K records the
transaction in the log file (edb.log). Once written to the log file, the change is then written to the
AD database. System performance determines how fast the system writes the data to the AD
database from the log file. Any time the system is shut down, all transactions are saved to the
database.
During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size
of each is 10MB. These files are used to ensure that changes can be written to disk should the
system run out of free disk space. The checkpoint file (edb.chk) records transactions committed
to the AD database (ntds.dit). During shutdown, a "shutdown" statement is written to the edb.chk
file.
Then, during a reboot, AD determines that all transactions in the edb.log file have been
committed to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot or the
shutdown statement isn't present, AD will use the edb.log file to update the AD database. The
last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is
located in\NTDS, along with the other files we've discussed
>How can you forcibly remove AD from a server, and what do you do
later? ? Can I get user passwords from the AD database?
Dcpromo /forceremoval , an administrator can forcibly remove Active
Directory and roll back the system without having to contact or replicate any
locally held changes to another DC in the forest. Reboot the server then
After you use the dcpromo /forceremoval command, all the remaining
metadata for the demoted DC is not deleted on the surviving domain
controllers, and therefore you must manually remove it by using the
NTDSUTIL command.
In the event that the NTDS Settings object is not removed correctly you can use the Ntdsutil.exe
utility to manually remove the NTDS Settings object. You will need the following tool:
Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers
>What are the FSMO roles? Who has them by default? What happens when each one
fails?
Flexible Single Master Operation (FSMO) role. Currently there are five FSMO roles:
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure master
> How do you check currently forest and domain functional levels? Say both GUI and
Command line.
To find out forest and domain functional levels in GUI mode, open ADUC, right click on the
domain name and take properties. Both domain and forest functional levels will be listed there.
TO find out forest and domain functional levels, you can use DSQUERY command.
> Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory ?
All versions of Windows Server Active Directory use Kerberos 5.
> explain the process between a user providing his Domain credential to his workstation
and the desktop being loaded? Or how the AD authentication works ?
When a user enters a user name and password, the computer sends the user name to the KDC.
The KDC contains a master database of unique long term keys for every principal in its realm.
The KDC looks up the user's master key (KA), which is based on the user's password. The KDC
then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket
(TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The
KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows. The
client computer receives the information from the KDC and runs the user's password through a
one-way hashing function, which converts the password into the user's KA. The client computer
now has a session key and a TGT so that it can securely communicate with the KDC. The client
is now authenticated to the domain and is ready to access other resources in the domain by using
the Kerberos protocol.
> Which FSMO role directly impacting the consistency of Group Policy ?
PDC Emulator.
> I want to promote a new additional Domain Controller in an existing domain. Which are
the groups I should be a member of ?
You should be a member of Enterprise Admins group or the Domain Admins group. Also you
should be member of local Administrators group of the member server which you are going to
promote as additional Domain Controller.
> Tell me one easiest way to check all the 5 FSMO roles ?
Use netdom query /domain:YourDomain FSMO command. It will list all the FSMO role
handling domain controllers.