General Active Directory Interview Questions

Question 1: What is Active Directory?

Answer: Active Directory is a Microsoft directory service that stores information
about objects in a network. AD also makes it easy for the stored data to be
accessed by authorized users.

Additional Information: There are so many variations to the definition of AD.

What is important is to mention that 1, it is a Microsoft Directory service. 2, it
securely stores data about AD objects and controls access to these objects.

Question 2: Give 5 Examples of Ad Objects

Answer: Users, Computers, Printers, Groups and Organizational units (OUs)

Additional Information: There are so many you can pick from. I have listed 5
below. However, you could chose from the list in the article in this link – Active
Directory Objects List.

Question 3: Name 2 Protocols Used by AD and Explain Them

Answer: The 2 protocols used by AD are LDAP (Light Weight Directory Access
Protocol). LDAP serves the purpose of querying or modifying objects in AD.

The second Active Directory protocol is Kerberos. It is used for AD

authentication.

There are two parts to this AD interview question. One, name the 2 protocols
used by AD. Two, explain the protocols.

Question 4: What is a Domain Controller?

Answer: A Domain Controller (DC) is a Windows Server running Active
Directory Domain Services (AD DS). AD DS is installed on a Windows Server
when it is promoted to a DC.

Question 5: What is an Active Directory Forest? What is the difference

between a Forest and a Domain?
Answer 1: An AD Forest is a collection of interconnected AD Domains that trust
each other.
Answer 2: The difference between an AD Domain and a Forest is that the
Domain is part of the forest.

Additional Information: This question are two questions bundled into one
question. When you attend an AD interview or any interview, it is important to
Liston attentively to the questions and ensure you provide a complete answer.

Active Directory Interview Questions (Installation)

The next set of Active Directory interview questions will focus on AD installation
including installation requirements.

Question 6: What Are the Minimum Requirements for Installing AD in

Windows Server 2016?
Answer: AD installation does not have specified minimum requirements.
However, there are minimum installation requirements for Windows Server
2016. These minimum installation requirements are:

1. 1.4Ghz 64-bit processor or faster

2. 512MB of RAM or greater
3. 32GB of disk space or greater
4. Ethernet network adapter
This question is very tricky. Why? Because there is no minimum requirements
for installing AD. The minimum requirements specified is for installing Windows
Server 2016.

Question 7: To Install AD You Require a DNS Server. What Conditions

Must the DNS Sever Meet to Support Active Directory?
Answer: For a DNS server to support Active Directory, the server must support
the service (SRV) resource record type. Also, it must support the dynamic
update protocol.

Additional Information: This question is testing your knowledge of DNS

requirements for AD. It is important to note that to install AD, you require a
DNS Server. However, you do not necessarily need to deploy a Microsoft DNS
server. Hence, any server that meets the minimum AD requirements can
support AD.

For more information read How DNS Support for Active Directory Works.
Question 8: What is the Name of the GUI Tool You Use to Promote a
Windows Sever 2016 to a Domain Controller?
Answer: Server Manager

Additional Information: This question specifically asked about a GUI tool.

Question 9: What is the Name of the Role You Install in Server Manager
to Promote a Server to a Domain Controller?
Answer: Active Directory Domain Services

Question 10: Can You Use DCPROMO to Promote a Windows Server to

Domain Controller? Please Give Details.
Answer: No, you can no longer use DCPROMO to promote a Member Server to
a Domain Controller. The feature was deprecated in Windows Server 2012 and
moved to Server Manager.

Note: This question is testing your knowledge of changes in Windows Server

features.

Though DCPROMO have been deprecated, you have another command line
option. PowerShell! You can still promote a Server to DC using PowerShell. See
Active Directory Questions relating to PowerShell later.

Active Directory Interview Questions (Infrastructure)

This section will cover Active Directory interview questions relating to AD
infrastructure.

Question 11: What is Active Directory Schema

Answer: AD Schema defines object classes and their attributes. An example of
an object is User. The User object has First Name, Last Name, Email, etc
attributes.

Question 12: Name the 4 types of Forest Trusts You Can Create in AD?
Answer: External, Forest, Shortcut, and Realm trusts.
Additional Information: Forest Trusts allows 2 Active Directory Domains, to
communicate with each other and share resources.

Question 13: Name a GUI Tool You can Use to Create and Manage
Trusts in AD?
Answer: Active Directory Domains and Trusts

Question 14: Name a Command Line Tool You Can Use to Manage AD
Replication.
Answer: Repadmin

Additional Information: To get the command line options for Repadmin, type
the command:

Repadmin /?
Run Repadmin command in a Domain Controller.

Question 15: What AD GUI Tool Can You Use to Configure Replication
Between Two Domain Controllers?
Answer: Active Directory Sites and Services

Question 16: Name the 5 Flexible Single Master Operations (FSMO)

Roles?
Answer: Schema Master, Domain Naming Master, RID Master, The PDC
Emulator Master and Infrastructure Master.

Additional Information: FSMO may be pronounced FiSMO. So if you here

name the 5 FiSMO , it is the same question. To read more about the FiSMO
roles, read my tutorial Active Directory: Concepts, Installation &
Administration (opens in a new window).

Question 17: What is the Difference Between Multi-Master and Singe-

Mater AD Operations?
Answer: Multi-master AD operation means that all Domain Controllers have
writable copies of the Active Directory database. This means that any DC can
update the AD database and replicate the changes to other Domain Controllers.
On the other hand, a Single-master AD operation means that one DC is
designated an operations role and only that DC can carry out that operation and
update other DCs.

Additional Information: The reason for Single-master AD operation is the

nature of the tasks that require Single-master operations. If two DCs were to
perform these operations at the same time, it would lead to conflict. To learn
more about FSMO roles, multi-master and single-master operations, read
my Active Directory tutorial.

Active Directory Interview Questions (Configuration)

The Active Directions interview questions covered in this category are about
service accounts. Also covered are managed service accounts, Service Principal
Names and Kerberos delegation.

Question 18: What is the Difference Between Service Accounts and

Managed Service Accounts?
Answer: A service account is a user account that is created to isolate a service
or application. On the other hand, Managed service accounts are managed
domain accounts that resolve limitations of the normal service account like
password and SPN management.

Additional Information: Managed service accounts (MSAs) were introduced

with Windows Server 2008 R2. MSAs resolve some of the challenges faced by
administrators using the native service accounts to manage applications.

Specifically, MSAs provide the following solutions:

1. Automatic password management (automatically updated every 30 days)

2. Simplified Service Principal Name (SPN) management, including delegation of
management to other administrators.

Question 19: Name 2 Limitations of Normal Service Accounts

Answer: Service Account Lockout and Service account password expiration.

Additional Information: If a service account is used by multiple applications

and the password is changed, an administrator will be required to update the
password on all the applications. However, if the administrator forgets to update
it on one of the applications, the application will attempt to use the old
password and in the process, may lock out the account.
Also, if a service account password was to expire, this will prevent the service
account from running the application until the password is changed. So a
service account password should be configured not to expire. This poses a
significant security risk.

Question 20: Name 5 Benefits of Managed Service Accounts

Answer: The following are the benefits of Managed Service Accounts:

1. Passwords changed automatically every 30 days.

2. The password is randomly generated using 120 characters.
3. MSAs are bound only to one computer.
4. MSAs can be placed into groups. This provides a work-around to give them
access to other resources on the network.
5. Automatic Service Principal Name (SPN) registration.

Question 21: Name the Windows Tool You Use to Create Managed
Service Accounts
Answer: Windows PowerShell

Question 22: What Is a Service Principal Name (SPNs)

Answer: A service principal name (SPN) is the name by which a client uniquely
identifies an instance of a service.

Additional Information: If multiple instances of a service are installed on

computers throughout a forest, each instance must have its own SPN. A given
service instance may have multiple SPNs if there are multiple names that clients
might use for authentication.

Question 23: Name one GUI tool and a Command Line Tool You can
Use to Create a Service Principal Name?
Answer 1 (GUI Tool): Active Directory Users and Computers

Answer 2 (Command Line Tool): Setspn

Question 24: What is Kerberos delegation?

Answer: Kerberos Delegation is permitting another computer or service to
allow a Kerberos ticket to be created for another service on the originating
user’s behalf.

Additional Information: Kerberos is a secure ticket-based protocol for

authenticating a service request. It is integral to the Active Directory security
structure.

Question 25: What is Universal Group Membership Caching (UGMC)?

Answer: UGMC is a process where a Domain Controller (with UGMC enabled)
retrieves Universal Group Membership information from a Global Catalog server.
This happens when a user logs on to the domain for the first time. The DC then
caches the information.

On subsequent logon requests by the same user, the domain controller (with
UGMC enabled) uses cached universal group memberships. It means that the
DC does not have to contact a global catalog server.

Additional Information: In a multi-domain forest, when a user logs on to a

domain, a global catalog server must be contacted to determine the universal
group memberships of the user. A universal group can contain users from other
domains. It can be applied to access control lists (ACLs) on objects in all
domains in the forest.

Therefore, during a logon session universal group memberships must be

ascertained so that the user is granted the appropriate access. Access is
granted both in the domain the user is logging into and in other domains.

Only global catalog servers store the memberships of all universal groups in the
forest. Therefore, if a global catalog server is not available in the site when a
user logs on to a domain, the domain controller must contact a global catalog
server in another site. If the link between the sites ina slow WAN link, this can
potentially slow down the login session. Thus, the need for UGMC.

Active Directory Interview Questions (Maintenance)

These Active Directory interview questions cover AD maintenance like
transferring or seizing FSMO roles, backup and restore AD and SYSVOL and
more.

Question 26: Name one Tool You Can Use to Transfer and Seize FSMO
Roles
Answer: ntdsutil

Additional Information: There is no option to seize a FSMO role from a GUI

tool like Active Directory Users and Computers. You can only seize FSMO roles
using ntdsutil. However, FSMO role transfer can be accomplished with either a
GUI tool or ntdsutil utility.

Question 27: List the Items Backed Up When You Perform a System
State Backup of a DC.
Answer: A DC system state backup copies the following:

 Registry.
 COM+ Class Registration database.
 Boot files.
 Active Directory database (Ntds.dit) file and log files.
 SYSVOL directory.
Additional Information: Depending on roles installed on the DC, the following
additional files may be included in a DC system state backup:

 Active Directory Certificate Services (AD CS) database.

 Cluster service information.
 Microsoft Internet Information Services (IIS) meta directory.
 System files under Windows Resource Protection.

Question 28: If AD partitions are not Backed Up with sufficient

frequency, What Event ID is Logged?
Answer: Event ID 2089

Additional Information: After performing an initial Active Directory backup on

a domain controller, Event ID 2089 provides warnings about the backup status
of each directory partition that a domain controller stores. This includes
application directory partitions.

Question 29: What is The Default Tombstone Lifetime for Windows

Server 2016?
Answer: 180 days.
Question 30: What AD Tool Can You Use to View and Modify the
Tombstone Lifetime?
Answer: ADSI Edit

Question 31: What is the Difference Between Authoritative and Non-

Authoritative Restore?
Answer: Authoritative restore does not allow replication to overwrite the
restored deletions. Instead, the restored objects replicate authoritatively to the
other domain controllers in the domain.

On the other hand, non-authoritative allows Active Directory replication to

update the restored domain controller to the current state of AD DS.

Question 32: Most AD Maintenance Tasks Are Performed with AD DS

online. Name 2 AD Maintenance Tasks that Require You to Take AD DS
Offline to perform the Tasks?
Answers: Offline AD database Defragmentation and AD DS database
relocation.

Active Directory Interview Questions (PowerShell)

Windows PowerShell Skills have become a critical requirement for most
Windows Admin jobs. This include Active Directory Administration. The last set
of Active Directory Interview Questions covers managing AD with PowerShell.

Question 33: What PowerShell command do You Use To Retrieve AD

Users?
Answer: Get-ADUser

Question 34: What PowerShell Command Can You Run to Promote a

Windows Sever to a DC?
Answer: Add-WindowsFeature -name ad-domain-services –
IncludeManagementTools –Restart

Additional Information: The IncludeManagementTools parameter includes all

AD admin tools while the Restart parameter will force a reboot after AD DS
installation. To learn more about PowerShell commands, read 18 Powershell
Commands Every Windows Admin Should Know.

Question 35: What PowerShell Command Can You Use to Update An

Existing AD User?
Answer: Set-ADUser